[Intrusions] RE: joehack, SQL and the 1433 Scans.... (Crossman, James)

Scott Sanders Scott.Sanders at Toyota-fs.com
Mon Nov 15 07:20:16 GMT 2004 

Thanks James,

I'm hoping that it'll be the same situation in our case too; I have the 
network team sniffing the cluster, so when/if it happens again we should 
be able to confirm. The only thing that still worries me are the symptoms; 
we were both investigating CPU spikes, but in our case it's more like a 
DOS with all four CPU's running at 100% for anything up to half an hour. 
Is this the same as your situation or was it just momentary spikes?

Regards,
Scott Sanders
IT Operations
Europe & Africa Region
Toyota Financial Services (UK)
D +44 (0)1737 365512
F +44 (0)1737 365520
M +44 (0)7810 884614
E scott.sanders at toyota-fs.com 


intrusions-request at lists.sans.org 
Sent by: intrusions-bounces at lists.sans.org
14/11/2004 23:24
Please respond to
intrusions at lists.sans.org


To
intrusions at lists.sans.org
cc

Subject
Intrusions Digest, Vol 8, Issue 14






Send Intrusions mailing list submissions to
                 intrusions at lists.sans.org

To subscribe or unsubscribe via the World Wide Web, visit
                 http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
                 intrusions-request at lists.sans.org

You can reach the person managing the list at
                 intrusions-owner at lists.sans.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Intrusions digest..."


Today's Topics:

   1. RE: joehack, SQL and the 1433 Scans.... (Crossman, James)
   2. [LOGS] Summary of large-scale portscanning detects
      (Ken.Connelly at uni.edu)


----------------------------------------------------------------------

Message: 1
Date: Fri, 12 Nov 2004 18:18:04 -0600
From: "Crossman, James" <jcrossman at vericenter.com>
Subject: RE: [Intrusions] joehack, SQL and the 1433 Scans....
To: "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
Message-ID:
 <8A65F8FC7103B14DB45BAAD6F198E6438CA317 at VCHOUXCH02.vcdom.vericenter.com>
 
Content-Type: text/plain;                charset="us-ascii"

Just to prove that old cases never go away, they just go idle for years.
:-) 

Thanks for quoting my old post, I was trying to remember the details as
I was reading the thread but couldn't remember when it happened.  It let
me go pull my notes from October 2001 to check my memory.  My notes (and
another engineer's memory) show it to have been benign in our case.  We
both remember it as a poor choice of names within the stored procedure.
Other engineer remembers it as being within a MS stored procedure - my
memory is it was the developer who cleared the situation up for us - we
may both be right.

Don't know if this is your situation or not.  But if the data from my
post back then is increasing your concern, don't let it.  I did a quick
google too, and it looks like one other forum used my original post to
base their warnings as well.  I see no indicators on the web that
'joehack' strings are known to be hostile in SQL.

And let this be a reminder that our notes should be clear enough to help
us remember something three years after the fact - even if it was
benign.  At least the notes let me know who to go ask, and confirmed
that it was a false positive alarm in our case.  :-) 

I hope this helps,
James


-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Hensinger Aaron
D Contr MCOM
Sent: Thursday, November 11, 2004 10:13 AM
To: Intrusions List (GCIA Practicals)
Subject: RE: [Intrusions] joehack, SQL and the 1433 Scans....

I found some articles relating to this. It appears that it may be used
as a
backdoor. I don't administer SQL so cannot validate this. I just found
several messages relating to backdoor.joehack so would be concerned. You
may
want to sniff the traffic and see if anything surprising comes across.

http://www.dshield.org/pipermail/intrusions/2001-October/001936.php



-----Original Message-----
From: Scott Sanders [mailto:Scott.Sanders at Toyota-fs.com] 
Sent: Wednesday, November 10, 2004 12:56 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] joehack, SQL and the 1433 Scans....

Hi there... 

I'm hoping somebody can help shed light on this issue as we have an 
identical situation here and I'm not having much luck gathering info on 
this. 

We have been investigating processor spikes on a SQL server and we have 
also found a stored procedure running with this 'joehack' string. The 
details are below: 

DECLARE @OUTPAR1 int 
 execute  sp_<removed string>  @OUTPAR1  output 
select @OUTPAR1 'joehack' 

This seems to be running under a valid SQL account. 

Any advice is appreciated. 

Regards,
Scott Sanders
IT Operations
Europe & Africa Region
Toyota Financial Services (UK)
D +44 (0)1737 365512
F +44 (0)1737 365520
M +44 (0)7810 884614
E scott.sanders at toyota-fs.com 


This correspondence is for the intended recipient only. It may contain 
confidential or legally privileged information or both. No 
confidentiality or privilege is waived or lost by any mistransmission 
or unauthorised alteration during transmission. 

If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on 
it, is prohibited and may be unlawful. If you receive this 
correspondence in error, please immediately delete it from your system 
and notify the sender. 

Any views expressed in this message are those of the individual sender, 
except where the sender expressly, and with authority, states them to 
be the views of Toyota. 

This message has been checked for viruses but the recipient is strongly 
advised to rescan the message before opening any attachments or 
attached executable files. 
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions




------------------------------

Message: 2
Date: Sun, 14 Nov 2004 14:04:12 -0600 (CST)
From: Ken.Connelly at uni.edu
Subject: [Intrusions] [LOGS] Summary of large-scale portscanning
                 detects
To: intrusions at lists.sans.org
Message-ID: <01LH86T56CC48Y79AX at uni.edu>

The following extracts show the beginning and ending of scan activity
was detected on my network.  The number following each set is the total
number of probes for that source.  Timestamps are GMT-0600.

Nov 12 04:36:56 206.13.56.94:2201 -> xxx.yyy.1.9:1433 SYN ******S* 
Nov 12 04:36:53 206.13.56.94:2238 -> xxx.yyy.1.4:1433 SYN ******S* 
Nov 12 04:36:56 206.13.56.94:2245 -> xxx.yyy.1.5:1433 SYN ******S* 
Nov 12 04:36:56 206.13.56.94:2252 -> xxx.yyy.1.3:1433 SYN ******S* 
Nov 12 04:36:56 206.13.56.94:2266 -> xxx.yyy.1.1:1433 SYN ******S* 
Nov 12 04:36:54 206.13.56.94:2258 -> xxx.yyy.1.2:1433 SYN ******S* 
Nov 12 04:36:54 206.13.56.94:2648 -> xxx.yyy.1.7:1433 SYN ******S* 
Nov 12 04:36:54 206.13.56.94:2175 -> xxx.yyy.1.11:1433 SYN ******S* 
[...]
Nov 12 05:00:32 206.13.56.94:2277 -> xxx.yyy.255.244:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2285 -> xxx.yyy.255.245:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2301 -> xxx.yyy.255.247:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2310 -> xxx.yyy.255.248:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2317 -> xxx.yyy.255.249:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2333 -> xxx.yyy.255.251:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2341 -> xxx.yyy.255.252:1433 SYN ******S* 
Nov 12 05:00:32 206.13.56.94:2357 -> xxx.yyy.255.254:1433 SYN ******S* 
67246

Nov 12 00:49:18 220.245.42.170:1483 -> xxx.yyy.1.1:1433 SYN ******S* 
Nov 12 00:49:18 220.245.42.170:1484 -> xxx.yyy.1.3:1433 SYN ******S* 
Nov 12 00:49:15 220.245.42.170:1486 -> xxx.yyy.1.4:1433 SYN ******S* 
Nov 12 00:49:15 220.245.42.170:1488 -> xxx.yyy.1.6:1433 SYN ******S* 
Nov 12 00:49:18 220.245.42.170:1491 -> xxx.yyy.1.10:1433 SYN ******S* 
Nov 12 00:49:18 220.245.42.170:1494 -> xxx.yyy.1.11:1433 SYN ******S* 
Nov 12 00:49:18 220.245.42.170:1495 -> xxx.yyy.1.14:1433 SYN ******S* 
Nov 12 00:49:18 220.245.42.170:1489 -> xxx.yyy.1.8:1433 SYN ******S* 
[...]
Nov 12 01:32:39 220.245.42.170:1881 -> xxx.yyy.255.248:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1882 -> xxx.yyy.255.246:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1883 -> xxx.yyy.255.250:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1886 -> xxx.yyy.255.252:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1884 -> xxx.yyy.255.249:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1885 -> xxx.yyy.255.251:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1887 -> xxx.yyy.255.254:1433 SYN ******S* 
Nov 12 01:32:39 220.245.42.170:1888 -> xxx.yyy.255.253:1433 SYN ******S* 
61583

Nov 12 02:33:13 218.150.240.130:1744 -> xxx.yyy.1.2:80 SYN ******S* 
Nov 12 02:33:13 218.150.240.130:1745 -> xxx.yyy.1.3:80 SYN ******S* 
Nov 12 02:33:15 218.150.240.130:1749 -> xxx.yyy.1.7:80 SYN ******S* 
Nov 12 02:33:15 218.150.240.130:1751 -> xxx.yyy.1.9:80 SYN ******S* 
Nov 12 02:33:13 218.150.240.130:1753 -> xxx.yyy.1.11:80 SYN ******S* 
Nov 12 02:33:12 218.150.240.130:1756 -> xxx.yyy.1.14:80 SYN ******S* 
Nov 12 02:33:12 218.150.240.130:1757 -> xxx.yyy.1.15:80 SYN ******S* 
Nov 12 02:33:15 218.150.240.130:1746 -> xxx.yyy.1.4:80 SYN ******S* 
[...]
Nov 12 02:38:33 218.150.240.130:3707 -> xxx.yyy.255.250:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3691 -> xxx.yyy.255.234:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3678 -> xxx.yyy.255.221:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3709 -> xxx.yyy.255.252:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3675 -> xxx.yyy.255.218:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3706 -> xxx.yyy.255.249:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3671 -> xxx.yyy.255.214:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3710 -> xxx.yyy.255.253:80 SYN ******S* 
Nov 12 02:38:33 218.150.240.130:3704 -> xxx.yyy.255.247:80 SYN ******S* 
58994

Nov 12 21:06:09 218.145.160.9:4712 -> xxx.yyy.1.1:1433 SYN ******S* 
Nov 12 21:06:07 218.145.160.9:4714 -> xxx.yyy.1.2:1433 SYN ******S* 
Nov 12 21:06:07 218.145.160.9:4716 -> xxx.yyy.1.3:1433 SYN ******S* 
Nov 12 21:06:07 218.145.160.9:4728 -> xxx.yyy.1.5:1433 SYN ******S* 
Nov 12 21:06:07 218.145.160.9:4733 -> xxx.yyy.1.6:1433 SYN ******S* 
Nov 12 21:06:07 218.145.160.9:4735 -> xxx.yyy.1.7:1433 SYN ******S* 
Nov 12 21:06:07 218.145.160.9:4749 -> xxx.yyy.1.8:1433 SYN ******S* 
Nov 12 21:06:10 218.145.160.9:4766 -> xxx.yyy.1.13:1433 SYN ******S* 
[...]
Nov 12 21:17:56 218.145.160.9:1696 -> xxx.yyy.255.241:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1706 -> xxx.yyy.255.246:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1702 -> xxx.yyy.255.244:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1698 -> xxx.yyy.255.242:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1708 -> xxx.yyy.255.247:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1694 -> xxx.yyy.255.240:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1704 -> xxx.yyy.255.245:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1716 -> xxx.yyy.255.251:1433 SYN ******S* 
Nov 12 21:17:56 218.145.160.9:1714 -> xxx.yyy.255.250:1433 SYN ******S* 
52195

Nov 12 16:44:43 64.173.4.100:1390 -> xxx.yyy.1.1:1433 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1393 -> xxx.yyy.1.2:6129 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1400 -> xxx.yyy.1.6:1433 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1401 -> xxx.yyy.1.6:6129 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1404 -> xxx.yyy.1.8:1433 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1406 -> xxx.yyy.1.9:1433 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1407 -> xxx.yyy.1.9:6129 SYN ******S* 
Nov 12 16:44:43 64.173.4.100:1409 -> xxx.yyy.1.10:6129 SYN ******S* 
[...]
Nov 12 16:55:04 64.173.4.100:1888 -> xxx.yyy.255.247:6129 SYN ******S* 
Nov 12 16:55:04 64.173.4.100:1889 -> xxx.yyy.255.248:1433 SYN ******S* 
Nov 12 16:55:04 64.173.4.100:1890 -> xxx.yyy.255.248:6129 SYN ******S* 
Nov 12 16:55:04 64.173.4.100:1891 -> xxx.yyy.255.249:1433 SYN ******S* 
Nov 12 16:55:04 64.173.4.100:1896 -> xxx.yyy.255.251:6129 SYN ******S* 
Nov 12 16:55:04 64.173.4.100:1897 -> xxx.yyy.255.252:1433 SYN ******S* 
Nov 12 16:55:04 64.173.4.100:1898 -> xxx.yyy.255.252:6129 SYN ******S* 
Nov 12 16:55:05 64.173.4.100:1900 -> xxx.yyy.255.253:6129 SYN ******S* 
46625

Nov 12 16:17:30 24.2.3.36:3609 -> xxx.yyy.1.3:20168 SYN ******S* 
Nov 12 16:17:32 24.2.3.36:3610 -> xxx.yyy.1.4:20168 SYN ******S* 
Nov 12 16:17:30 24.2.3.36:3607 -> xxx.yyy.1.1:20168 SYN ******S* 
Nov 12 16:17:32 24.2.3.36:3612 -> xxx.yyy.1.6:20168 SYN ******S* 
Nov 12 16:17:30 24.2.3.36:3608 -> xxx.yyy.1.2:20168 SYN ******S* 
Nov 12 16:17:32 24.2.3.36:3611 -> xxx.yyy.1.5:20168 SYN ******S* 
Nov 12 16:17:32 24.2.3.36:3614 -> xxx.yyy.1.8:20168 SYN ******S* 
Nov 12 16:17:32 24.2.3.36:3615 -> xxx.yyy.1.9:20168 SYN ******S* 
[...]
Nov 12 16:28:59 24.2.3.36:2435 -> xxx.yyy.255.226:20168 SYN ******S* 
Nov 12 16:28:59 24.2.3.36:2434 -> xxx.yyy.255.225:20168 SYN ******S* 
Nov 12 16:28:59 24.2.3.36:2459 -> xxx.yyy.255.250:20168 SYN ******S* 
Nov 12 16:28:59 24.2.3.36:2456 -> xxx.yyy.255.247:20168 SYN ******S* 
Nov 12 16:28:59 24.2.3.36:2458 -> xxx.yyy.255.249:20168 SYN ******S* 
Nov 12 16:28:59 24.2.3.36:2454 -> xxx.yyy.255.245:20168 SYN ******S* 
Nov 12 16:29:00 24.2.3.36:2462 -> xxx.yyy.255.253:20168 SYN ******S* 
Nov 12 16:29:00 24.2.3.36:2463 -> xxx.yyy.255.254:20168 SYN ******S* 
41160

Nov 12 14:49:29 194.247.167.25:1189 -> xxx.yyy.1.1:1521 SYN ******S* 
Nov 12 14:49:31 194.247.167.25:1190 -> xxx.yyy.1.2:1521 SYN ******S* 
Nov 12 14:49:31 194.247.167.25:1191 -> xxx.yyy.1.3:1521 SYN ******S* 
Nov 12 14:49:29 194.247.167.25:1193 -> xxx.yyy.1.4:1521 SYN ******S* 
Nov 12 14:49:29 194.247.167.25:1194 -> xxx.yyy.1.5:1521 SYN ******S* 
Nov 12 14:49:29 194.247.167.25:1195 -> xxx.yyy.1.6:1521 SYN ******S* 
Nov 12 14:49:29 194.247.167.25:1196 -> xxx.yyy.1.7:1521 SYN ******S* 
Nov 12 14:49:30 194.247.167.25:1198 -> xxx.yyy.1.9:1521 SYN ******S* 
[...]
Nov 12 15:01:19 194.247.167.25:1354 -> xxx.yyy.255.207:1521 SYN ******S* 
Nov 12 15:01:19 194.247.167.25:1356 -> xxx.yyy.255.209:1521 SYN ******S* 
Nov 12 15:01:19 194.247.167.25:1373 -> xxx.yyy.255.219:1521 SYN ******S* 
Nov 12 15:01:19 194.247.167.25:1364 -> xxx.yyy.255.216:1521 SYN ******S* 
Nov 12 15:01:20 194.247.167.25:1390 -> xxx.yyy.255.230:1521 SYN ******S* 
Nov 12 15:01:20 194.247.167.25:1414 -> xxx.yyy.255.244:1521 SYN ******S* 
Nov 12 15:01:20 194.247.167.25:1425 -> xxx.yyy.255.249:1521 SYN ******S* 
Nov 12 15:01:20 194.247.167.25:1435 -> xxx.yyy.255.254:1521 SYN ******S* 
37961

[...]
28065

[...]
17432

[...]
17003

Nov 12 15:55:24 196.41.30.38:14195 -> xxx.yyy.1.219:80 SYN ******S* 
Nov 12 15:55:29 196.41.30.38:14217 -> xxx.yyy.1.234:80 SYN ******S* 
Nov 12 15:55:29 196.41.30.38:14220 -> xxx.yyy.1.224:80 SYN ******S* 
Nov 12 15:55:27 196.41.30.38:14223 -> xxx.yyy.1.218:80 SYN ******S* 
Nov 12 15:55:28 196.41.30.38:14235 -> xxx.yyy.1.236:80 SYN ******S* 
Nov 12 15:55:27 196.41.30.38:14230 -> xxx.yyy.1.242:80 SYN ******S* 
Nov 12 15:55:30 196.41.30.38:14235 -> xxx.yyy.1.236:80 SYN ******S* 
Nov 12 15:55:32 196.41.30.38:14220 -> xxx.yyy.1.224:80 SYN ******S* 
[...]
Nov 12 16:44:31 196.41.30.38:56306 -> xxx.yyy.254.106:80 SYN ******S* 
Nov 12 16:44:35 196.41.30.38:55924 -> xxx.yyy.253.153:80 SYN ******S* 
Nov 12 16:44:37 196.41.30.38:56381 -> xxx.yyy.255.115:80 SYN ******S* 
Nov 12 16:44:36 196.41.30.38:55940 -> xxx.yyy.253.206:80 SYN ******S* 
Nov 12 16:44:36 196.41.30.38:55941 -> xxx.yyy.253.202:80 SYN ******S* 
Nov 12 16:44:37 196.41.30.38:55957 -> xxx.yyy.254.14:80 SYN ******S* 
Nov 12 16:44:37 196.41.30.38:55956 -> xxx.yyy.253.199:80 SYN ******S* 
Nov 12 16:44:41 196.41.30.38:56115 -> xxx.yyy.255.113:80 SYN ******S* 
Nov 12 16:44:42 196.41.30.38:56127 -> xxx.yyy.255.94:80 SYN ******S* 
13718

Nov 12 23:01:13 220.72.186.223:3322 -> xxx.yyy.195.88:5554 SYN ******S* 
Nov 12 23:01:14 220.72.186.223:3728 -> xxx.yyy.195.88:1023 SYN ******S* 
Nov 12 23:01:16 220.72.186.223:4660 -> xxx.yyy.195.88:9898 SYN ******S* 
Nov 12 23:01:13 220.72.186.223:3324 -> xxx.yyy.195.96:5554 SYN ******S* 
Nov 12 23:01:14 220.72.186.223:3730 -> xxx.yyy.195.96:1023 SYN ******S* 
Nov 12 23:01:13 220.72.186.223:3326 -> xxx.yyy.195.101:5554 SYN ******S* 
Nov 12 23:01:14 220.72.186.223:3732 -> xxx.yyy.195.101:1023 SYN ******S* 
Nov 12 23:01:16 220.72.186.223:4671 -> xxx.yyy.195.101:9898 SYN ******S* 
[...]
Nov 12 23:02:04 220.72.186.223:1758 -> xxx.yyy.195.120:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1864 -> xxx.yyy.195.155:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1865 -> xxx.yyy.195.157:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1867 -> xxx.yyy.195.151:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1878 -> xxx.yyy.195.150:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1892 -> xxx.yyy.195.163:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1905 -> xxx.yyy.195.160:9898 SYN ******S* 
Nov 12 23:02:04 220.72.186.223:1992 -> xxx.yyy.195.183:9898 SYN ******S* 
11369

Nov 12 04:42:12 61.92.43.23:4886 -> xxx.yyy.1.0:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4887 -> xxx.yyy.1.1:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4888 -> xxx.yyy.1.2:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4889 -> xxx.yyy.1.3:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4890 -> xxx.yyy.1.4:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4891 -> xxx.yyy.1.5:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4892 -> xxx.yyy.1.6:17300 SYN ******S* 
Nov 12 04:42:12 61.92.43.23:4893 -> xxx.yyy.1.7:17300 SYN ******S* 
[...]
Nov 12 05:05:26 61.92.43.23:3954 -> xxx.yyy.104.137:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3955 -> xxx.yyy.104.138:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3956 -> xxx.yyy.104.139:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3957 -> xxx.yyy.104.140:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3958 -> xxx.yyy.104.141:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3959 -> xxx.yyy.104.142:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3960 -> xxx.yyy.104.143:17300 SYN ******S* 
Nov 12 05:05:26 61.92.43.23:3961 -> xxx.yyy.104.144:17300 SYN ******S* 
11079

[...]
10649

Nov 12 22:59:02 60.37.118.140:1711 -> xxx.yyy.72.124:5554 SYN ******S* 
Nov 12 22:59:03 60.37.118.140:2252 -> xxx.yyy.72.124:1023 SYN ******S* 
Nov 12 22:59:05 60.37.118.140:3265 -> xxx.yyy.72.124:9898 SYN ******S* 
Nov 12 22:59:02 60.37.118.140:1713 -> xxx.yyy.72.126:5554 SYN ******S* 
Nov 12 22:59:03 60.37.118.140:2254 -> xxx.yyy.72.126:1023 SYN ******S* 
Nov 12 22:59:02 60.37.118.140:1715 -> xxx.yyy.72.128:5554 SYN ******S* 
Nov 12 22:59:05 60.37.118.140:3314 -> xxx.yyy.72.128:9898 SYN ******S* 
Nov 12 22:59:02 60.37.118.140:1716 -> xxx.yyy.72.129:5554 SYN ******S* 
[...]
Nov 12 22:59:52 60.37.118.140:2617 -> xxx.yyy.92.234:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2615 -> xxx.yyy.92.238:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2624 -> xxx.yyy.92.245:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2625 -> xxx.yyy.92.246:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2620 -> xxx.yyy.92.240:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2623 -> xxx.yyy.92.241:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2638 -> xxx.yyy.92.242:9898 SYN ******S* 
Nov 12 22:59:52 60.37.118.140:2635 -> xxx.yyy.92.243:9898 SYN ******S* 
10577

Nov 12 23:34:11 218.191.199.174:2483 -> xxx.yyy.236.76:5554 SYN ******S* 
Nov 12 23:34:14 218.191.199.174:4539 -> xxx.yyy.236.76:9898 SYN ******S* 
Nov 12 23:34:11 218.191.199.174:2484 -> xxx.yyy.236.77:5554 SYN ******S* 
Nov 12 23:34:12 218.191.199.174:3186 -> xxx.yyy.236.77:1023 SYN ******S* 
Nov 12 23:34:14 218.191.199.174:4540 -> xxx.yyy.236.77:9898 SYN ******S* 
Nov 12 23:34:11 218.191.199.174:2509 -> xxx.yyy.236.84:5554 SYN ******S* 
Nov 12 23:34:12 218.191.199.174:3213 -> xxx.yyy.236.84:1023 SYN ******S* 
Nov 12 23:34:14 218.191.199.174:4580 -> xxx.yyy.236.84:9898 SYN ******S* 
[...]
Nov 12 23:34:53 218.191.199.174:1913 -> xxx.yyy.255.204:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:1915 -> xxx.yyy.255.201:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:1914 -> xxx.yyy.255.200:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:1916 -> xxx.yyy.255.202:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:1967 -> xxx.yyy.255.212:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:2389 -> xxx.yyy.255.248:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:2392 -> xxx.yyy.255.251:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:2399 -> xxx.yyy.255.253:9898 SYN ******S* 
Nov 12 23:34:53 218.191.199.174:2402 -> xxx.yyy.255.254:9898 SYN ******S* 
10413

Nov 12 22:54:48 218.158.121.128:2636 -> xxx.yyy.194.124:5554 SYN ******S* 
Nov 12 22:54:50 218.158.121.128:3104 -> xxx.yyy.194.124:1023 SYN ******S* 
Nov 12 22:54:48 218.158.121.128:2637 -> xxx.yyy.194.125:5554 SYN ******S* 
Nov 12 22:54:48 218.158.121.128:2639 -> xxx.yyy.194.130:5554 SYN ******S* 
Nov 12 22:54:50 218.158.121.128:3107 -> xxx.yyy.194.130:1023 SYN ******S* 
Nov 12 22:54:49 218.158.121.128:2640 -> xxx.yyy.194.132:5554 SYN ******S* 
Nov 12 22:54:50 218.158.121.128:3108 -> xxx.yyy.194.132:1023 SYN ******S* 
Nov 12 22:54:49 218.158.121.128:2641 -> xxx.yyy.194.135:5554 SYN ******S* 
[...]
Nov 12 23:00:23 218.158.121.128:4046 -> xxx.yyy.194.212:1023 SYN ******S* 
Nov 12 23:00:23 218.158.121.128:4028 -> xxx.yyy.194.214:1023 SYN ******S* 
Nov 12 23:00:23 218.158.121.128:4031 -> xxx.yyy.194.210:1023 SYN ******S* 
Nov 12 23:00:24 218.158.121.128:4089 -> xxx.yyy.194.222:1023 SYN ******S* 
Nov 12 23:00:24 218.158.121.128:4094 -> xxx.yyy.194.224:1023 SYN ******S* 
Nov 12 23:00:24 218.158.121.128:4104 -> xxx.yyy.194.225:1023 SYN ******S* 
Nov 12 23:00:24 218.158.121.128:4148 -> xxx.yyy.194.232:1023 SYN ******S* 
Nov 12 23:00:24 218.158.121.128:4149 -> xxx.yyy.194.230:1023 SYN ******S* 
Nov 12 23:00:24 218.158.121.128:4164 -> xxx.yyy.194.231:1023 SYN ******S* 
10039

Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.0:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.1:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.7:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.9:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.10:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.14:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.17:22 SYN ******S* 
Nov 12 06:05:31 222.45.45.132:45118 -> xxx.yyy.1.24:22 SYN ******S* 
[...]
Nov 12 12:19:36 222.45.45.132:39818 -> xxx.yyy.137.189:22 SYN ******S* 
Nov 12 12:19:36 222.45.45.132:39819 -> xxx.yyy.241.7:22 SYN ******S* 
Nov 12 12:19:36 222.45.45.132:39783 -> xxx.yyy.224.92:22 SYN ******S* 
Nov 12 12:19:37 222.45.45.132:39824 -> xxx.yyy.248.17:22 SYN ******S* 
Nov 12 12:19:38 222.45.45.132:39897 -> xxx.yyy.137.189:22 SYN ******S* 
Nov 12 12:19:39 222.45.45.132:39801 -> xxx.yyy.229.18:22 SYN ******S* 
Nov 12 12:19:40 222.45.45.132:39804 -> xxx.yyy.230.145:22 SYN ******S* 
Nov 12 12:19:43 222.45.45.132:39823 -> xxx.yyy.243.45:22 SYN ******S* 
9968

[...]
8969

Nov 12 23:56:59 218.24.66.21:4667 -> xxx.yyy.133.234:5554 SYN ******S* 
Nov 12 23:57:00 218.24.66.21:1478 -> xxx.yyy.133.234:1023 SYN ******S* 
Nov 12 23:56:59 218.24.66.21:4870 -> xxx.yyy.133.239:5554 SYN ******S* 
Nov 12 23:57:00 218.24.66.21:1498 -> xxx.yyy.133.239:1023 SYN ******S* 
Nov 12 23:56:59 218.24.66.21:4871 -> xxx.yyy.133.240:5554 SYN ******S* 
Nov 12 23:56:59 218.24.66.21:4913 -> xxx.yyy.133.242:5554 SYN ******S* 
Nov 12 23:57:00 218.24.66.21:1036 -> xxx.yyy.133.255:5554 SYN ******S* 
Nov 12 23:57:03 218.24.66.21:2814 -> xxx.yyy.133.255:9898 SYN ******S* 
[...]
Nov 12 23:57:41 218.24.66.21:1054 -> xxx.yyy.154.83:9898 SYN ******S* 
Nov 12 23:57:41 218.24.66.21:1083 -> xxx.yyy.154.86:9898 SYN ******S* 
Nov 12 23:57:41 218.24.66.21:1086 -> xxx.yyy.154.90:9898 SYN ******S* 
Nov 12 23:57:41 218.24.66.21:1084 -> xxx.yyy.154.87:9898 SYN ******S* 
Nov 12 23:57:41 218.24.66.21:1087 -> xxx.yyy.154.92:9898 SYN ******S* 
Nov 12 23:57:41 218.24.66.21:1103 -> xxx.yyy.154.94:9898 SYN ******S* 
Nov 12 23:57:45 218.24.66.21:3186 -> xxx.yyy.153.177:1023 SYN ******S* 
Nov 12 23:57:47 218.24.66.21:4575 -> xxx.yyy.153.177:9898 SYN ******S* 
8438

Nov 12 23:56:58 61.49.99.214:4263 -> xxx.yyy.175.9:5554 SYN ******S* 
Nov 12 23:56:59 61.49.99.214:1107 -> xxx.yyy.175.9:1023 SYN ******S* 
Nov 12 23:56:58 61.49.99.214:4259 -> xxx.yyy.175.10:5554 SYN ******S* 
Nov 12 23:56:59 61.49.99.214:1106 -> xxx.yyy.175.10:1023 SYN ******S* 
Nov 12 23:56:58 61.49.99.214:4250 -> xxx.yyy.175.14:5554 SYN ******S* 
Nov 12 23:56:58 61.49.99.214:4278 -> xxx.yyy.175.2:5554 SYN ******S* 
Nov 12 23:56:58 61.49.99.214:4286 -> xxx.yyy.175.0:5554 SYN ******S* 
Nov 12 23:56:58 61.49.99.214:4299 -> xxx.yyy.174.246:5554 SYN ******S* 
[...]
Nov 12 23:57:44 61.49.99.214:2782 -> xxx.yyy.195.61:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2786 -> xxx.yyy.195.58:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2787 -> xxx.yyy.195.59:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2795 -> xxx.yyy.195.72:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2796 -> xxx.yyy.195.73:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2798 -> xxx.yyy.195.64:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2800 -> xxx.yyy.195.66:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2799 -> xxx.yyy.195.65:9898 SYN ******S* 
Nov 12 23:57:44 61.49.99.214:2802 -> xxx.yyy.195.69:9898 SYN ******S* 
8318

Nov 12 09:12:11 69.93.219.52:24458 -> xxx.yyy.1.2:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:22645 -> xxx.yyy.1.4:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:25104 -> xxx.yyy.1.0:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:21374 -> xxx.yyy.1.1:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:22926 -> xxx.yyy.1.3:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:23873 -> xxx.yyy.1.10:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:25264 -> xxx.yyy.1.8:1433 SYN ******S* 
Nov 12 09:12:11 69.93.219.52:21142 -> xxx.yyy.1.12:1433 SYN ******S* 
[...]
Nov 12 09:12:29 69.93.219.52:24302 -> xxx.yyy.255.161:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:25461 -> xxx.yyy.255.163:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:26493 -> xxx.yyy.255.168:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:23229 -> xxx.yyy.255.164:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:23348 -> xxx.yyy.255.167:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:24574 -> xxx.yyy.255.166:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:22151 -> xxx.yyy.255.171:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:21908 -> xxx.yyy.255.170:1433 SYN ******S* 
Nov 12 09:12:29 69.93.219.52:26299 -> xxx.yyy.255.169:1433 SYN ******S* 
7635

Nov 12 23:08:47 60.37.118.102:4665 -> xxx.yyy.154.119:5554 SYN ******S* 
Nov 12 23:08:48 60.37.118.102:3076 -> xxx.yyy.154.119:1023 SYN ******S* 
Nov 12 23:08:50 60.37.118.102:4487 -> xxx.yyy.154.119:9898 SYN ******S* 
Nov 12 23:08:47 60.37.118.102:1316 -> xxx.yyy.154.201:5554 SYN ******S* 
Nov 12 23:08:48 60.37.118.102:4376 -> xxx.yyy.154.201:1023 SYN ******S* 
Nov 12 23:08:47 60.37.118.102:4519 -> xxx.yyy.154.111:5554 SYN ******S* 
Nov 12 23:08:47 60.37.118.102:1601 -> xxx.yyy.154.229:5554 SYN ******S* 
Nov 12 23:08:48 60.37.118.102:4476 -> xxx.yyy.154.229:1023 SYN ******S* 
[...]
Nov 12 23:10:00 60.37.118.102:4053 -> xxx.yyy.155.219:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4163 -> xxx.yyy.155.238:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4167 -> xxx.yyy.155.240:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4109 -> xxx.yyy.155.230:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4126 -> xxx.yyy.155.231:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4158 -> xxx.yyy.155.237:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4139 -> xxx.yyy.155.233:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4140 -> xxx.yyy.155.234:9898 SYN ******S* 
Nov 12 23:10:00 60.37.118.102:4180 -> xxx.yyy.155.241:9898 SYN ******S* 
7575

[...]
6761

[...]
6123

Nov 12 23:36:06 219.133.216.106:3330 -> xxx.yyy.154.103:5554 SYN ******S* 
Nov 12 23:36:07 219.133.216.106:3882 -> xxx.yyy.154.103:1023 SYN ******S* 
Nov 12 23:36:06 219.133.216.106:3343 -> xxx.yyy.154.116:5554 SYN ******S* 
Nov 12 23:36:09 219.133.216.106:1431 -> xxx.yyy.154.116:9898 SYN ******S* 
Nov 12 23:36:06 219.133.216.106:3357 -> xxx.yyy.154.130:5554 SYN ******S* 
Nov 12 23:36:07 219.133.216.106:3951 -> xxx.yyy.154.130:1023 SYN ******S* 
Nov 12 23:36:09 219.133.216.106:1476 -> xxx.yyy.154.130:9898 SYN ******S* 
Nov 12 23:36:06 219.133.216.106:3338 -> xxx.yyy.154.111:5554 SYN ******S* 
[...]
Nov 12 23:36:58 219.133.216.106:3598 -> xxx.yyy.174.203:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3599 -> xxx.yyy.174.202:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3535 -> xxx.yyy.174.194:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3495 -> xxx.yyy.174.183:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3633 -> xxx.yyy.174.141:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3543 -> xxx.yyy.174.210:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3639 -> xxx.yyy.174.219:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3577 -> xxx.yyy.174.196:9898 SYN ******S* 
Nov 12 23:36:58 219.133.216.106:3648 -> xxx.yyy.174.215:9898 SYN ******S* 
5708

--
- Ken
===========================================================================
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network 
Services
University of Northern Iowa                     Cedar Falls, IA 50614-0121
email: Ken.Connelly at uni.edu    phone: (319) 273-5850    fax: (319) 
273-7373


------------------------------

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions


End of Intrusions Digest, Vol 8, Issue 14
*****************************************


This correspondence is for the intended recipient only. It may contain 
confidential or legally privileged information or both. No 
confidentiality or privilege is waived or lost by any mistransmission 
or unauthorised alteration during transmission. 

If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on 
it, is prohibited and may be unlawful. If you receive this 
correspondence in error, please immediately delete it from your system 
and notify the sender. 

Any views expressed in this message are those of the individual sender, 
except where the sender expressly, and with authority, states them to 
be the views of Toyota. 

This message has been checked for viruses but the recipient is strongly 
advised to rescan the message before opening any attachments or 
attached executable files.

More information about the Intrusions mailing list