I checked some of the infected hosts for this open port but i did not see it. Like i said i'm way more interested in which hosts are attacking me. Here is the dir output of all the hosts that have attacked me since aug 7th. You'll notice a lot coming from the same networks... Which leaves me to believe this is not a bunch of skiddies scanning but more of an automated worm type scan. root@mindcreeper:/var/log/fuckcr/445# ls -alF total 978 drwxrw-r-x 2 nobody nogroup 6256 Aug 10 14:43 ./ drwxr-xr-x 4 root root 96 Aug 7 01:25 ../ -rw-r--r-- 1 nobody root 241 Aug 7 20:49 137.186.252.228 -rw-r--r-- 1 nobody root 186 Aug 10 00:01 200.2.64.252 -rw-r--r-- 1 nobody root 51 Aug 10 09:51 200.58.167.106 -rw-r--r-- 1 nobody root 7117 Aug 9 19:20 203.215.2.57 -rw-r--r-- 1 nobody root 7195 Aug 8 19:49 204.244.35.194 -rw-r--r-- 1 nobody root 50 Aug 9 20:59 210.0.221.197 -rw-r--r-- 1 nobody root 7156 Aug 7 17:00 210.108.66.52 -rw-r--r-- 1 nobody root 7234 Aug 7 23:20 210.122.179.140 -rw-r--r-- 1 nobody root 7195 Aug 8 06:42 210.43.129.124 -rw-r--r-- 1 nobody root 12715 Aug 8 08:04 217.232.187.173 -rw-r--r-- 1 nobody root 7990 Aug 10 10:49 217.236.121.109 -rw-r--r-- 1 nobody root 12579 Aug 7 22:10 217.238.56.55 -rw-r--r-- 1 nobody root 50 Aug 8 14:46 217.44.69.225 -rw-r--r-- 1 nobody root 7990 Aug 7 10:39 218.174.152.179 -rw-r--r-- 1 nobody root 11644 Aug 9 08:49 218.25.35.237 -rw-r--r-- 1 nobody root 49 Aug 8 19:23 218.28.8.250 -rw-r--r-- 1 nobody root 12579 Aug 9 15:06 219.155.98.41 -rw-r--r-- 1 nobody root 52 Aug 8 08:27 219.165.230.244 -rw-r--r-- 1 nobody root 12715 Aug 8 08:06 220.108.202.189 -rw-r--r-- 1 nobody root 49 Aug 7 11:46 220.55.129.8 -rw-r--r-- 1 nobody root 7861 Aug 7 08:33 24.107.69.11 -rw-r--r-- 1 nobody root 7947 Aug 8 00:52 24.166.150.176 -rw-r--r-- 1 nobody root 49 Aug 8 18:50 24.207.36.15 -rw-r--r-- 1 nobody root 51 Aug 10 14:43 24.208.140.227 -rw-r--r-- 1 nobody root 7818 Aug 9 13:07 24.61.45.56 -rw-r--r-- 1 nobody root 7904 Aug 9 07:13 24.76.101.140 -rw-r--r-- 1 nobody root 48 Aug 8 04:22 24.82.87.83 -rw-r--r-- 1 nobody root 7861 Aug 10 11:29 24.84.46.171 -rw-r--r-- 1 nobody root 12443 Aug 8 06:53 24.96.4.116 -rw-r--r-- 1 nobody root 239 Aug 10 01:08 61.221.251.164 -rw-r--r-- 1 nobody root 49 Aug 7 02:03 61.54.48.193 -rw-r--r-- 1 nobody root 237 Aug 8 12:10 64.173.95.218 -rw-r--r-- 1 nobody root 4187 Aug 7 05:29 65.101.206.137 -rw-r--r-- 1 nobody root 187 Aug 9 03:27 65.101.36.139 -rw-r--r-- 1 nobody root 239 Aug 9 13:58 65.121.100.133 -rw-r--r-- 1 nobody root 187 Aug 8 08:39 65.219.23.121 -rw-r--r-- 1 nobody root 49 Aug 7 03:30 65.222.75.81 -rw-r--r-- 1 nobody root 237 Aug 7 19:24 65.229.153.53 -rw-r--r-- 1 nobody root 235 Aug 7 03:23 65.29.224.37 -rw-r--r-- 1 nobody root 50 Aug 10 00:10 65.29.235.166 -rw-r--r-- 1 nobody root 233 Aug 9 01:36 65.35.33.53 -rw-r--r-- 1 nobody root 237 Aug 8 01:33 65.37.189.145 -rw-r--r-- 1 nobody root 233 Aug 9 02:41 65.37.24.99 -rw-r--r-- 1 nobody root 7078 Aug 10 03:01 65.50.130.0 -rw-r--r-- 1 nobody root 235 Aug 9 16:31 65.50.57.169 -rw-r--r-- 1 nobody root 49 Aug 9 04:01 65.92.118.99 -rw-r--r-- 1 nobody root 50 Aug 9 04:22 65.92.191.101 -rw-r--r-- 1 nobody root 50 Aug 9 10:57 65.92.194.199 -rw-r--r-- 1 nobody root 50 Aug 8 09:18 65.92.195.228 -rw-r--r-- 1 nobody root 50 Aug 9 06:07 65.93.103.219 -rw-r--r-- 1 nobody root 49 Aug 8 08:33 65.93.13.131 -rw-r--r-- 1 nobody root 235 Aug 7 07:38 65.93.153.26 -rw-r--r-- 1 nobody root 50 Aug 7 11:57 65.93.192.196 -rw-r--r-- 1 nobody root 50 Aug 8 06:41 65.93.193.107 -rw-r--r-- 1 nobody root 50 Aug 9 20:04 65.93.197.132 -rw-r--r-- 1 nobody root 48 Aug 7 19:40 65.93.65.79 -rw-r--r-- 1 nobody root 49 Aug 8 07:50 65.93.73.187 -rw-r--r-- 1 nobody root 50 Aug 7 15:03 65.94.162.169 -rw-r--r-- 1 nobody root 50 Aug 9 01:45 65.94.221.122 -rw-r--r-- 1 nobody root 50 Aug 8 03:28 65.94.225.128 -rw-r--r-- 1 nobody root 284 Aug 10 07:27 65.95.101.76 -rw-r--r-- 1 nobody root 49 Aug 7 12:55 65.95.124.53 -rw-r--r-- 1 nobody root 49 Aug 7 12:52 65.95.127.84 -rw-r--r-- 1 nobody root 50 Aug 7 12:47 65.95.132.213 -rw-r--r-- 1 nobody root 237 Aug 7 12:16 65.95.140.253 -rw-r--r-- 1 nobody root 50 Aug 8 17:08 65.95.143.142 -rw-r--r-- 1 nobody root 50 Aug 8 01:28 65.95.156.163 -rw-r--r-- 1 nobody root 48 Aug 8 19:31 65.95.162.7 -rw-r--r-- 1 nobody root 49 Aug 8 13:02 65.95.165.56 -rw-r--r-- 1 nobody root 49 Aug 7 12:18 65.95.165.75 -rw-r--r-- 1 nobody root 50 Aug 8 21:08 65.95.181.220 -rw-r--r-- 1 nobody root 237 Aug 10 13:31 65.95.182.230 -rw-r--r-- 1 nobody root 474 Aug 10 01:54 65.95.183.233 -rw-r--r-- 1 nobody root 50 Aug 8 01:31 65.95.183.236 -rw-r--r-- 1 nobody root 49 Aug 7 14:06 65.95.22.203 -rw-r--r-- 1 nobody root 50 Aug 8 00:41 65.95.230.107 -rw-r--r-- 1 nobody root 50 Aug 8 18:46 65.95.232.169 -rw-r--r-- 1 nobody root 50 Aug 8 12:12 65.95.236.122 -rw-r--r-- 1 nobody root 237 Aug 9 18:22 65.95.240.236 -rw-r--r-- 1 nobody root 50 Aug 8 12:27 65.95.243.181 -rw-r--r-- 1 nobody root 49 Aug 8 00:25 65.95.254.40 -rw-r--r-- 1 nobody root 49 Aug 8 17:44 65.95.54.126 -rw-r--r-- 1 nobody root 49 Aug 8 02:48 65.95.54.228 -rw-r--r-- 1 nobody root 48 Aug 7 13:06 65.95.96.47 -rw-r--r-- 1 nobody root 1659 Aug 9 04:09 65.96.104.154 -rw-r--r-- 1 nobody root 474 Aug 10 12:16 65.96.104.155 -rw-r--r-- 1 nobody root 3055 Aug 10 00:30 65.96.107.21 -rw-r--r-- 1 nobody root 3081 Aug 10 14:05 65.96.115.140 -rw-r--r-- 1 nobody root 287 Aug 9 23:32 65.96.115.199 -rw-r--r-- 1 nobody root 1410 Aug 9 23:02 65.96.117.39 -rw-r--r-- 1 nobody root 200 Aug 9 21:51 65.96.128.161 -rw-r--r-- 1 nobody root 1175 Aug 8 08:37 65.96.128.23 -rw-r--r-- 1 nobody root 3081 Aug 10 14:50 65.96.130.248 -rw-r--r-- 1 nobody root 1896 Aug 10 14:32 65.96.131.186 -rw-r--r-- 1 nobody root 940 Aug 10 13:43 65.96.134.95 -rw-r--r-- 1 nobody root 1645 Aug 9 23:33 65.96.136.61 -rw-r--r-- 1 nobody root 4230 Aug 10 06:37 65.96.137.10 -rw-r--r-- 1 nobody root 1659 Aug 8 19:54 65.96.137.232 -rw-r--r-- 1 nobody root 948 Aug 10 14:39 65.96.138.218 -rw-r--r-- 1 nobody root 237 Aug 9 09:46 65.96.138.249 -rw-r--r-- 1 nobody root 50 Aug 10 10:59 65.96.140.194 -rw-r--r-- 1 nobody root 235 Aug 9 16:55 65.96.141.11 -rw-r--r-- 1 nobody root 2370 Aug 10 03:43 65.96.160.126 -rw-r--r-- 1 nobody root 1645 Aug 9 23:06 65.96.160.83 -rw-r--r-- 1 nobody root 1896 Aug 10 14:26 65.96.161.156 -rw-r--r-- 1 nobody root 2844 Aug 10 12:23 65.96.162.169 -rw-r--r-- 1 nobody root 3760 Aug 10 14:38 65.96.165.93 -rw-r--r-- 1 nobody root 699 Aug 10 11:11 65.96.166.5 -rw-r--r-- 1 nobody root 235 Aug 7 22:21 65.96.168.51 -rw-r--r-- 1 nobody root 940 Aug 8 13:21 65.96.176.78 -rw-r--r-- 1 nobody root 474 Aug 10 11:58 65.96.179.129 -rw-r--r-- 1 nobody root 470 Aug 7 22:14 65.96.179.98 -rw-r--r-- 1 nobody root 2844 Aug 10 14:01 65.96.183.158 -rw-r--r-- 1 nobody root 1659 Aug 10 11:26 65.96.184.227 -rw-r--r-- 1 nobody root 705 Aug 10 07:29 65.96.185.21 -rw-r--r-- 1 nobody root 34408 Aug 9 08:50 65.96.186.204 -rw-r--r-- 1 nobody root 1659 Aug 9 11:36 65.96.187.102 -rw-r--r-- 1 nobody root 1896 Aug 10 02:01 65.96.187.151 -rw-r--r-- 1 nobody root 237 Aug 9 09:39 65.96.190.133 -rw-r--r-- 1 nobody root 1659 Aug 10 12:10 65.96.190.178 -rw-r--r-- 1 nobody root 237 Aug 8 13:29 65.96.193.155 -rw-r--r-- 1 nobody root 1322 Aug 10 14:50 65.96.195.98 -rw-r--r-- 1 nobody root 470 Aug 8 14:48 65.96.202.75 -rw-r--r-- 1 nobody root 474 Aug 8 20:28 65.96.205.190 -rw-r--r-- 1 nobody root 2133 Aug 10 12:03 65.96.208.108 -rw-r--r-- 1 nobody root 200 Aug 9 19:33 65.96.214.125 -rw-r--r-- 1 nobody root 4740 Aug 10 13:00 65.96.232.182 -rw-r--r-- 1 nobody root 1185 Aug 10 13:12 65.96.232.232 -rw-r--r-- 1 nobody root 1175 Aug 9 17:27 65.96.232.50 -rw-r--r-- 1 nobody root 3760 Aug 10 11:11 65.96.232.74 -rw-r--r-- 1 nobody root 237 Aug 9 11:03 65.96.233.204 -rw-r--r-- 1 nobody root 940 Aug 9 13:27 65.96.233.99 -rw-r--r-- 1 nobody root 2585 Aug 10 09:12 65.96.235.20 -rw-r--r-- 1 nobody root 3760 Aug 10 14:11 65.96.235.46 -rw-r--r-- 1 nobody root 1410 Aug 10 11:03 65.96.237.86 -rw-r--r-- 1 nobody root 237 Aug 10 11:11 65.96.239.190 -rw-r--r-- 1 nobody root 932 Aug 10 13:49 65.96.24.28 -rw-r--r-- 1 nobody root 735 Aug 10 13:24 65.96.28.108 -rw-r--r-- 1 nobody root 144 Aug 10 09:43 65.96.28.67 -rw-r--r-- 1 nobody root 940 Aug 10 12:42 65.96.29.246 -rw-r--r-- 1 nobody root 693 Aug 10 00:30 65.96.30.0 -rw-r--r-- 1 nobody root 1410 Aug 9 11:21 65.96.37.224 -rw-r--r-- 1 nobody root 1880 Aug 8 12:25 65.96.39.115 -rw-r--r-- 1 nobody root 1880 Aug 10 13:52 65.96.43.237 -rw-r--r-- 1 nobody root 231 Aug 8 08:07 65.96.5.20 -rw-r--r-- 1 nobody root 235 Aug 7 23:11 65.96.54.178 -rw-r--r-- 1 nobody root 705 Aug 9 18:17 65.96.60.221 -rw-r--r-- 1 nobody root 940 Aug 9 21:14 65.96.60.230 -rw-r--r-- 1 nobody root 235 Aug 9 22:54 65.96.61.244 -rw-r--r-- 1 nobody root 1175 Aug 9 22:49 65.96.68.158 -rw-r--r-- 1 nobody root 235 Aug 9 13:20 65.96.68.252 -rw-r--r-- 1 nobody root 693 Aug 7 22:05 65.96.70.6 -rw-r--r-- 1 nobody root 470 Aug 7 19:43 65.96.71.185 -rw-r--r-- 1 nobody root 1645 Aug 9 18:49 65.96.71.198 -rw-r--r-- 1 nobody root 281 Aug 9 23:50 65.96.71.62 -rw-r--r-- 1 nobody root 235 Aug 10 02:55 65.96.72.147 -rw-r--r-- 1 nobody root 233 Aug 7 20:29 65.96.74.24 -rw-r--r-- 1 nobody root 705 Aug 10 10:51 65.96.76.137 -rw-r--r-- 1 nobody root 233 Aug 9 08:17 65.96.76.31 -rw-r--r-- 1 nobody root 235 Aug 10 01:11 65.96.80.235 -rw-r--r-- 1 nobody root 3696 Aug 10 11:47 65.96.80.6 -rw-r--r-- 1 nobody root 2563 Aug 10 11:20 65.96.80.93 -rw-r--r-- 1 nobody root 466 Aug 10 00:58 65.96.81.88 -rw-r--r-- 1 nobody root 2585 Aug 9 21:55 65.96.83.215 -rw-r--r-- 1 nobody root 3104 Aug 10 14:45 65.96.83.222 -rw-r--r-- 1 nobody root 1912 Aug 9 11:41 65.96.84.32 -rw-r--r-- 1 nobody root 6855 Aug 8 23:57 65.96.85.8 -rw-r--r-- 1 nobody root 470 Aug 9 21:04 65.96.86.114 -rw-r--r-- 1 nobody root 705 Aug 8 20:24 65.96.87.140 -rw-r--r-- 1 nobody root 470 Aug 9 20:55 65.96.88.172 -rw-r--r-- 1 nobody root 470 Aug 10 09:59 65.96.90.190 -rw-r--r-- 1 nobody root 3290 Aug 10 14:36 65.96.91.106 -rw-r--r-- 1 nobody root 4660 Aug 10 13:52 65.96.91.70 -rw-r--r-- 1 nobody root 1175 Aug 10 05:30 65.96.92.122 -rw-r--r-- 1 nobody root 705 Aug 9 11:25 65.96.92.211 -rw-r--r-- 1 nobody root 1645 Aug 10 08:58 65.96.92.238 -rw-r--r-- 1 nobody root 940 Aug 10 11:05 65.96.94.170 -rw-r--r-- 1 nobody root 233 Aug 9 23:19 65.96.95.72 -rw-r--r-- 1 nobody root 2115 Aug 9 09:40 65.96.97.143 -rw-r--r-- 1 nobody root 2350 Aug 10 14:32 65.96.98.227 -rw-r--r-- 1 nobody root 699 Aug 10 07:18 65.96.99.46 -rw-r--r-- 1 nobody root 7195 Aug 9 00:56 66.168.102.133 -rw-r--r-- 1 nobody root 121 Aug 7 12:40 66.92.95.254 -rw-r--r-- 1 nobody root 187 Aug 8 05:24 67.67.198.249 -rw-r--r-- 1 nobody root 237 Aug 10 11:09 67.68.223.200 -rw-r--r-- 1 nobody root 49 Aug 7 11:56 67.68.44.189 -rw-r--r-- 1 nobody root 7904 Aug 9 00:58 68.161.118.25 -rw-r--r-- 1 nobody root 7861 Aug 9 21:59 68.32.45.110 -rw-r--r-- 1 nobody root 7904 Aug 10 05:38 68.43.131.120 -rw-r--r-- 1 nobody root 48 Aug 10 12:08 68.55.45.76 -rw-r--r-- 1 nobody root 7861 Aug 8 14:03 68.83.57.103 -rw-r--r-- 1 nobody root 237 Aug 9 02:38 80.182.15.247 -rw-r--r-- 1 nobody root 7156 Aug 8 15:19 80.48.254.251 On Sat, 9 Aug 2003 08:47:23 +0100 "Roberts, Chris" <c.roberts1at_private> wrote: >We've been seeing increased activity from Randex.D worm infections, which >generated similar types of scan patterns: > >http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html > >-----Original Message----- >From: wirepair [mailto:wirepairat_private] >Sent: 08 August 2003 21:10 >To: incidentsat_private >Subject: port 445 probes continued > > >Does anyone know preciesly what this beast is that keeps rattling my doors. >Upon further scans i've noticed a pattern increasing >from my class B. >Here is the data that i'm getting from a majority of hosts: > 00 00 00 85 ff 53 4d 42 72 00 00 00 00 18 |.......SMBr.....| >00000070 53 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |S...............| >00000080 ff fe 00 00 00 00 00 62 00 02 50 43 20 4e 45 54 |.......b..PC NET| >00000090 57 4f 52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 |WORK PROGRAM 1.0| >000000a0 00 02 4c 41 4e 4d 41 4e 31 2e 30 00 02 57 69 6e |..LANMAN1.0..Win| >000000b0 64 6f 77 73 20 66 6f 72 20 57 6f 72 6b 67 72 6f |dows for Workgro| >000000c0 75 70 73 20 33 2e 31 61 00 02 4c 4d 31 2e 32 58 |ups 3.1a..LM1.2X| >000000d0 30 30 32 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 02 |002..LANMAN2.1..| >000000e0 4e 54 20 4c 4d 20 30 2e 31 32 00 |NT LM 0.12.| > >(this was taken from a custom program) I've recieved about 110 probes in the >past 24 hours. all with roughly the same first >packet. >-wire >-- >Visit Things From Another World for the best >comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf > >--------------------------------------------------------------------------- >---------------------------------------------------------------------------- > >--------------------------------------------------------------------------- >---------------------------------------------------------------------------- > -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 01:59:59 PDT