('binary' encoding is not supported, stored as-is) Over the past couple days I've noticed an increase in scans targeting TCP port 1. While looking at my logs, I noticed an odd pattern to the Source IPs of these scans. If you look at the listing below, it looks like the scans started coming from 24.62, then 24.61, 24.60, 20.59, and 24.58 IP addresses. 24.60 thru 24.62 belong to attbi (now Comcast), 24.58 thru 24.59 belong to Time Warner Cable (RoadRunner), Syracuse NY. Has anyone else seen these? Any ideas what they could be? I'm guessing from the pattern that either it's a backdoor trojan that's being exploited to trigger scans, and the controlling hacker is hitting IP ranges sequentially in decreasing order, or the source IPs are spoofed. Date, Time(EST), Source:Port, Dest:Port, TTL 8/20/2003,22:29:26,24.62.162.192:1667,24.62.xxx.xxx:1,1 26 8/20/2003,23:32:19,24.62.162.192:1956,24.62.xxx.xxx:1,1 26 8/20/2003,23:46:14,24.62.135.7:4489,24.62.xxx.xxx:1,117 8/20/2003,23:46:17,24.62.135.7:4489,24.62.xxx.xxx:1,118 8/20/2003,23:50:28,24.62.135.22:4546,24.62.xxx.xxx:1,11 7 8/20/2003,23:50:31,24.62.135.22:4546,24.62.xxx.xxx:1,11 8 8/21/2003,00:43:26,24.62.50.205:4747,24.62.xxx.xxx:1,11 7 8/21/2003,00:43:29,24.62.50.205:4747,24.62.xxx.xxx:1,11 7 8/21/2003,01:34:34,24.61.141.26:1911,24.62.xxx.xxx:1,12 3 8/21/2003,01:34:37,24.61.141.26:1911,24.62.xxx.xxx:1,12 3 8/21/2003,01:58:55,24.61.171.35:2841,24.62.xxx.xxx:1,12 1 8/21/2003,01:58:58,24.61.171.35:2841,24.62.xxx.xxx:1,12 1 8/21/2003,02:08:07,24.61.170.195:2610,24.62.xxx.xxx:1,1 21 8/21/2003,02:08:10,24.61.170.195:2610,24.62.xxx.xxx:1,1 21 8/21/2003,02:53:29,24.61.20.136:4690,24.62.xxx.xxx:1,12 1 8/21/2003,02:53:32,24.61.20.136:4690,24.62.xxx.xxx:1,12 1 8/21/2003,03:35:02,24.60.214.72:1854,24.62.xxx.xxx:1,11 9 8/21/2003,03:35:05,24.60.214.72:1854,24.62.xxx.xxx:1,11 9 8/21/2003,04:49:49,24.60.88.189:3873,24.62.xxx.xxx:1,11 5 8/21/2003,04:49:52,24.60.88.189:3873,24.62.xxx.xxx:1,11 5 8/21/2003,05:41:36,24.60.109.210:2508,24.62.xxx.xxx:1,1 16 8/21/2003,06:18:38,24.60.36.124:3409,24.62.xxx.xxx:1,11 6 8/21/2003,06:18:41,24.60.36.124:3409,24.62.xxx.xxx:1,11 6 8/21/2003,07:09:44,24.59.127.69:2172,24.62.xxx.xxx:1,10 7 8/21/2003,07:22:54,24.59.104.254:3814,24.62.xxx.xxx:1,1 09 8/21/2003,07:22:57,24.59.104.254:3814,24.62.xxx.xxx:1,1 09 8/21/2003,07:24:15,24.59.99.37:1350,24.62.xxx.xxx:1,108 8/21/2003,07:24:18,24.59.99.37:1350,24.62.xxx.xxx:1,108 8/21/2003,07:35:39,24.59.141.186:3722,24.62.xxx.xxx:1,1 08 8/21/2003,07:35:42,24.59.141.186:3722,24.62.xxx.xxx:1,1 08 8/21/2003,08:42:59,24.58.227.72:4253,24.62.xxx.xxx:1,10 8 8/21/2003,08:43:02,24.58.227.72:4253,24.62.xxx.xxx:1,10 8 8/21/2003,09:06:22,24.58.235.75:2041,24.62.xxx.xxx:1,10 9 8/21/2003,09:06:25,24.58.235.75:2041,24.62.xxx.xxx:1,10 9 8/21/2003,10:01:09,24.58.119.204:2355,24.62.xxx.xxx:1,1 09 8/21/2003,10:01:12,24.58.119.204:2355,24.62.xxx.xxx:1,1 09 8/21/2003,10:56:16,24.59.58.234:2318,24.62.xxx.xxx:1,10 8 8/21/2003,10:56:19,24.59.58.234:2318,24.62.xxx.xxx:1,10 8 --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Aug 23 2003 - 13:56:48 PDT