Increase in scans on TCP port 1 (tcpmux)?

From: Kevin Patz (jambo_catat_private)
Date: Thu Aug 21 2003 - 08:36:15 PDT

  • Next message: Marcel Thraenhardt: "Re: ICMP port 2048 scans" 

    
 ('binary' encoding is not supported, stored as-is)
Over the past couple days I've noticed an increase in 
scans targeting TCP port 1.  While looking at my logs, 
I noticed an odd pattern to the Source IPs of these 
scans.  If you look at the listing below, it looks 
like the scans started coming from 24.62, then 24.61, 
24.60, 20.59, and 24.58 IP addresses.  24.60 thru 
24.62 belong to attbi (now Comcast), 24.58 thru 24.59 
belong to Time Warner Cable (RoadRunner), Syracuse NY.

Has anyone else seen these?  Any ideas what they could 
be?  I'm guessing from the pattern that either it's a 
backdoor trojan that's being exploited to trigger 
scans, and the controlling hacker is hitting IP ranges 
sequentially in decreasing order, or the source IPs 
are spoofed.

Date, Time(EST), Source:Port, Dest:Port, TTL
8/20/2003,22:29:26,24.62.162.192:1667,24.62.xxx.xxx:1,1
26
8/20/2003,23:32:19,24.62.162.192:1956,24.62.xxx.xxx:1,1
26
8/20/2003,23:46:14,24.62.135.7:4489,24.62.xxx.xxx:1,117
8/20/2003,23:46:17,24.62.135.7:4489,24.62.xxx.xxx:1,118
8/20/2003,23:50:28,24.62.135.22:4546,24.62.xxx.xxx:1,11
7
8/20/2003,23:50:31,24.62.135.22:4546,24.62.xxx.xxx:1,11
8
8/21/2003,00:43:26,24.62.50.205:4747,24.62.xxx.xxx:1,11
7
8/21/2003,00:43:29,24.62.50.205:4747,24.62.xxx.xxx:1,11
7
8/21/2003,01:34:34,24.61.141.26:1911,24.62.xxx.xxx:1,12
3
8/21/2003,01:34:37,24.61.141.26:1911,24.62.xxx.xxx:1,12
3
8/21/2003,01:58:55,24.61.171.35:2841,24.62.xxx.xxx:1,12
1
8/21/2003,01:58:58,24.61.171.35:2841,24.62.xxx.xxx:1,12
1
8/21/2003,02:08:07,24.61.170.195:2610,24.62.xxx.xxx:1,1
21
8/21/2003,02:08:10,24.61.170.195:2610,24.62.xxx.xxx:1,1
21
8/21/2003,02:53:29,24.61.20.136:4690,24.62.xxx.xxx:1,12
1
8/21/2003,02:53:32,24.61.20.136:4690,24.62.xxx.xxx:1,12
1
8/21/2003,03:35:02,24.60.214.72:1854,24.62.xxx.xxx:1,11
9
8/21/2003,03:35:05,24.60.214.72:1854,24.62.xxx.xxx:1,11
9
8/21/2003,04:49:49,24.60.88.189:3873,24.62.xxx.xxx:1,11
5
8/21/2003,04:49:52,24.60.88.189:3873,24.62.xxx.xxx:1,11
5
8/21/2003,05:41:36,24.60.109.210:2508,24.62.xxx.xxx:1,1
16
8/21/2003,06:18:38,24.60.36.124:3409,24.62.xxx.xxx:1,11
6
8/21/2003,06:18:41,24.60.36.124:3409,24.62.xxx.xxx:1,11
6
8/21/2003,07:09:44,24.59.127.69:2172,24.62.xxx.xxx:1,10
7
8/21/2003,07:22:54,24.59.104.254:3814,24.62.xxx.xxx:1,1
09
8/21/2003,07:22:57,24.59.104.254:3814,24.62.xxx.xxx:1,1
09
8/21/2003,07:24:15,24.59.99.37:1350,24.62.xxx.xxx:1,108
8/21/2003,07:24:18,24.59.99.37:1350,24.62.xxx.xxx:1,108
8/21/2003,07:35:39,24.59.141.186:3722,24.62.xxx.xxx:1,1
08
8/21/2003,07:35:42,24.59.141.186:3722,24.62.xxx.xxx:1,1
08
8/21/2003,08:42:59,24.58.227.72:4253,24.62.xxx.xxx:1,10
8
8/21/2003,08:43:02,24.58.227.72:4253,24.62.xxx.xxx:1,10
8
8/21/2003,09:06:22,24.58.235.75:2041,24.62.xxx.xxx:1,10
9
8/21/2003,09:06:25,24.58.235.75:2041,24.62.xxx.xxx:1,10
9
8/21/2003,10:01:09,24.58.119.204:2355,24.62.xxx.xxx:1,1
09
8/21/2003,10:01:12,24.58.119.204:2355,24.62.xxx.xxx:1,1
09
8/21/2003,10:56:16,24.59.58.234:2318,24.62.xxx.xxx:1,10
8
8/21/2003,10:56:19,24.59.58.234:2318,24.62.xxx.xxx:1,10
8

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

    

    



    

    


This archive was generated by hypermail 2b30 
: Sat Aug 23 2003 - 13:56:48 PDT