[Intrusions] LOGS (254 new events).

Earnhart, Benjamin J benjamin-earnhart at uiowa.edu
Mon Oct 18 23:30:10 GMT 2004 

These (1025 and 1026) are probably trying to get to dynamically allocated windows ports.  When a windows box starts asking for the next available port, they start at 1025 and work their way up.  So it could be somebody trying to get in on these ports to nab a machine that's listening (for example, some messenger spam used to come in on these even after blocking the standard static ports), or it could be a legitimate connection dropped suddenly.  Just because it's registered to a particular service doesn't mean that's the most common use.

> 1025 (blackjack )
> 15
>
> 1026 (unknown)
> 9
>

This one is more likely to be somebody snooping for a non-standard implementation of SSH (kinda like how a non-standard HTTP often runs on 8080).  Also, could be simply a suddenly dropped connection since you have so few events.  But then again, could be somebody looking for machines compromised w/botox among other things. Again, just because it's registered to that, doesn't mean that's the most common use. 

> 2222 (rockwell-csp2 )

Any chance you could post the number of hosts touched, number of hosts originating traffic, timeframe, and/or the traffic type?  These would really, really help in determining that is truly an attack and what is simply a session being closed suddenly.  



*==========================================;
*Ben Earnhart
*Computer Consultant and 
*ICPSR Representative
*Department of Sociology and 
*College of Liberal Arts
*University of Iowa
*(319) 335-2887
*benjamin-earnhart at uiowa.edu
*==========================================;
*IMPORTANT NOTE:  MY EMAIL ADDRESS MAY
*CHANGE IN THE NEAR FUTURE!
*If you normally send email to me at
*"bearnhar at blue.weeg.uiowa.edu"
*please update your addressbook to
*"benjamin-earnhart at uiowa.edu"
*mail will get to me from both addresses
*for now, but the bearnhar address will
*be going away soon.
*==========================================; 

-----Original Message-----
From: intrusions-bounces at lists.sans.org [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Joel Esler
Sent: Saturday, October 16, 2004 7:29 PM
To: Intrusions List ((GCIA Practicals))
Subject: [Intrusions] LOGS (254 new events).

> Top 7 Attacking IP's
> # Events
>
> 82.121.27.137
> 60
>
> 24.214.198.163
> 30
>
> 192.168.1.150
> 19
>
> 24.255.113.104
> 15
>
> 24.15.18.126
> 9
>
> 24.214.80.45
> 8
>
> 24.214.17.15
> 6
>

> Top 7 Targeted Ports
> # Events
>
> 4662 (edonkey )
> 65
>
> 80 (www-http)
> 36
>
> 137 (netbios-ns)
> 35
>
> 2222 (rockwell-csp2 )
> 19
>
> 1025 (blackjack )
> 15
>
> 1026 (unknown)
> 9
>
> 1433 (ms-sql-s )
> 9
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list