-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What's with the sudden (for me anyway) explosion of activity on port 3014/tcp? (Broker Service? what's that? Google wasn't much help)... http://isc.incidents.org/port_details.html?port=3014 shows almost no activity for the past month or so. I've gone from nothing (or near nothing) on this port to the flurry of activity shown in the report below. This is a residential DSL circuit. My first packet was received on Nov 7 03:41:14 (ntp sync'd EST) from 24.51.45.230. I'm dropping inbound SYNs so unfortunately I don't have any packet captures. A quick spot check, shows the IP addresses (if not spoofed) to be all over the place (.edu's, dial-ups, & dsl, cable). TTLs in the ipchains reject log are around 110-120. I haven't had a chance to fingerprint the sources or validate the TTLs yet. Is this just me or does anyone else have correlating data? If it _is_ just me, at least it's something a little more interesting than the P2P, sql, ssh/ssl and proxy scans I've logging for the past year or so... ;) Brian Coyle, GCIA - ---------- Forwarded Message ---------- To: brian Subject: SECURITY -- Top Attackers Summary Using /var/log/messages Report from Nov 3 04:03:31 thru Nov 7 23:58:00 Attacker DST Port Port Count IP TOTAL 129.110.39.39 3014/tcp 1493 1493 62.90.241.54 3014/tcp 965 965 66.233.122.11 1214/tcp 848 848 207.172.137.31 3014/tcp 369 369 64.219.128.113 3014/tcp 366 366 24.168.10.201 3014/tcp 323 323 217.81.205.251 3014/tcp 285 285 198.29.3.42 3014/tcp 278 278 139.67.239.60 3014/tcp 240 240 200.77.60.241 1214/tcp 233 233 130.111.254.244 3014/tcp 216 216 63.110.36.63 3014/tcp 204 204 24.51.45.230 3014/tcp 201 201 217.88.231.73 3014/tcp 186 186 217.125.102.243 3014/tcp 180 180 213.173.219.190 3014/tcp 176 176 67.118.45.21 1214/tcp 171 171 217.229.149.134 3014/tcp 168 168 129.118.190.184 3014/tcp 164 164 211.121.24.125 3014/tcp 143 143 147.126.50.108 3014/tcp 138 138 141.233.45.207 3014/tcp 129 129 211.121.18.252 3014/tcp 120 120 137.141.245.224 3014/tcp 114 114 66.73.6.168 3014/tcp 102 102 62.211.222.240 3014/tcp 94 94 148.240.72.244 3014/tcp 84 84 66.26.121.188 3014/tcp 80 80 198.107.59.2 3014/tcp 75 75 12.229.190.138 3014/tcp 75 75 213.84.215.175 3014/tcp 69 69 217.235.74.92 3014/tcp 60 60 148.240.64.14 3014/tcp 57 57 192.117.97.116 3014/tcp 53 53 217.136.139.166 3014/tcp 49 49 64.45.232.196 3014/tcp 48 48 212.182.112.227 3014/tcp 37 37 204.32.18.6 3014/tcp 36 36 217.35.54.196 3014/tcp 32 32 212.0.157.120 3014/tcp 32 32 149.149.201.92 3014/tcp 30 30 172.183.26.221 3014/tcp 28 28 67.32.85.26 3014/tcp 27 27 141.225.78.83 3014/tcp 27 27 4.65.44.125 3014/tcp 24 24 172.146.57.56 1214/tcp 24 24 218.186.182.57 3014/tcp 22 22 217.226.31.238 3014/tcp 18 18 172.181.85.122 3014/tcp 18 18 163.6.106.70 3014/tcp 18 18 172.179.68.55 3014/tcp 17 17 217.136.75.54 3014/tcp 16 16 172.147.169.74 3014/tcp 15 15 80.136.121.204 3014/tcp 12 12 66.125.93.183 3014/tcp 12 12 172.168.250.35 3014/tcp 9 12 172.168.250.35 80/tcp 3 12 137.132.222.181 3014/tcp 12 12 64.91.166.114 3014/tcp 11 11 217.136.73.234 3014/tcp 11 11 172.186.93.158 3014/tcp 10 10 80.132.91.153 3014/tcp 9 9 172.176.76.130 3014/tcp 9 9 150.208.49.251 3014/tcp 9 9 24.67.234.200 3014/tcp 8 8 24.49.86.49 3014/tcp 8 8 217.125.117.62 3014/tcp 8 8 200.199.226.140 3014/tcp 8 8 67.112.21.26 3014/tcp 6 6 4.19.238.120 3014/tcp 6 6 203.216.50.148 3014/tcp 6 6 200.45.202.203 1214/tcp 6 6 144.96.16.93 3014/tcp 6 6 141.155.18.15 8080/tcp 1 6 141.155.18.15 8000/tcp 1 6 141.155.18.15 3128/tcp 1 6 141.155.18.15 1080/tcp 1 6 141.155.18.15 80/tcp 1 6 141.155.18.15 25/tcp 1 6 134.126.219.146 6346/tcp 6 6 80.192.225.228 3014/tcp 5 5 64.91.162.61 3014/tcp 4 4 63.101.133.1 3014/tcp 4 4 200.37.74.60 3014/tcp 4 4 81.98.113.242 1433/tcp 3 3 81.100.227.8 27374/tcp 3 3 67.112.163.90 1433/tcp 3 3 66.134.108.252 3014/tcp 3 3 65.82.175.176 3014/tcp 3 3 65.215.15.211 1433/tcp 3 3 62.168.26.2 1433/tcp 3 3 61.73.44.136 25/tcp 3 3 61.73.108.172 25/tcp 3 3 61.100.19.253 25/tcp 3 3 4.60.157.49 6346/tcp 3 3 38.221.19.33 1433/tcp 3 3 24.90.176.48 1433/tcp 3 3 24.162.43.86 445/tcp 3 3 218.145.173.242 1433/tcp 3 3 217.226.211.248 3014/tcp 3 3 217.136.81.249 3014/tcp 3 3 211.49.193.126 1433/tcp 3 3 211.49.174.221 25/tcp 3 3 211.237.116.40 1433/tcp 3 3 211.226.107.87 3014/tcp 3 3 211.141.65.15 1433/tcp 3 3 210.243.199.195 1433/tcp 3 3 210.222.9.61 1433/tcp 3 3 210.205.200.75 25/tcp 3 3 210.113.65.9 1433/tcp 3 3 203.140.201.146 80/tcp 3 3 172.181.212.128 3014/tcp 3 3 172.180.114.191 3014/tcp 3 3 172.175.121.20 3014/tcp 3 3 172.161.35.65 3014/tcp 3 3 172.146.209.231 3014/tcp 3 3 172.132.238.159 3014/tcp 3 3 151.36.176.190 1433/tcp 3 3 147.9.164.167 3014/tcp 3 3 142.176.143.4 1433/tcp 3 3 141.85.0.80 3014/tcp 3 3 139.57.218.107 3014/tcp 3 3 134.48.178.27 3014/tcp 3 3 [snipped] - -- If you're not living on the edge, you're taking up too much space... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php iD8DBQE9y1e4ER3MuHUncBsRAqOPAJwKETt7zWJ3lwrjCZ+lkw/3JvsEwgCfROth yyqWxh6pHj58oQoVW2ExCWI= =NvNU -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 20:09:25 PST