[Intrusions] odd worm (?) activity?
Charles Heselton
charles.heselton at gmail.com
Sun Sep 12 17:58:11 GMT 2004
On Fri, 10 Sep 2004 19:48:47 -0500, Chris Norton
<kicktd_list at hotmail.com> wrote:
> Just wondering if anyone has noticed any activity like this? This is all from the same IP address:
>
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111xxx.:1450 -> 68.212.111.xxx:135, flags: SYN , seq:159470950 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1452 -> 68.212.111.xxx:1025, flags: SYN , seq:159504595 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1453 -> 68.212.111.xxx:445, flags: SYN , seq:159547845 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1454 -> 68.212.111.xxxx:6129, flags: SYN , seq:159599147 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxxx:1455 -> 68.212.111.xxx:139, flags: SYN , seq:159634329 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1456 -> 68.212.111.xxx:3410, flags: SYN , seq:159688821 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1457 -> 68.212.111.xxx:5554, flags: SYN , seq:159735284 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1458 -> 68.212.111.xxx:1433, flags: SYN , seq:159782567 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1459 -> 68.212.111.xxx:5000, flags: SYN , seq:159844021 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:36] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1480 -> 68.212.111.xxx:80, flags: SYN , seq:161072104 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1450 -> 68.212.111.xxx:135, flags: SYN , seq:159470950 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1454 -> 68.212.111.xxx:6129, flags: SYN , seq:159599147 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1457 -> 68.212.111.xxx:5554, flags: SYN , seq:159735284 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1452 -> 68.212.111.xxx:1025, flags: SYN , seq:159504595 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1455 -> 68.212.111.xxx:139, flags: SYN , seq:159634329 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1458 -> 68.212.111.xxx:1433, flags: SYN , seq:159782567 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1453 -> 68.212.111.xxx:445, flags: SYN , seq:159547845 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1456 -> 68.212.111.xxx:3410, flags: SYN , seq:159688821 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1459 -> 68.212.111.xxx:5000, flags: SYN , seq:159844021 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1480 -> 68.212.111.xxx:80, flags: SYN , seq:161072104 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1459 -> 68.212.111.xxx:5000, flags: SYN , seq:159844021 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1458 -> 68.212.111.xxx:1433, flags: SYN , seq:159782567 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1455 -> 68.212.111.xxx:139, flags: SYN , seq:159634329 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1452 -> 68.212.111.xxx:1025, flags: SYN , seq:159504595 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1457 -> 68.212.111.xxx:5554, flags: SYN , seq:159735284 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1454 -> 68.212.111.xxx:6129, flags: SYN , seq:159599147 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1450 -> 68.212.111.xxx:135, flags: SYN , seq:159470950 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1456 -> 68.212.111.xxx:3410, flags: SYN , seq:159688821 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1453 -> 68.212.111.xxx:445, flags: SYN , seq:159547845 ack:0, win:8760, tcplen:0
> [10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1480 -> 68.212.111.xxx:80, flags: SYN , seq:161072104 ack:0, win:8760, tcplen:0
> [10/Sep/2004 19:36:23] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1499 -> 68.212.111.xxx:135, flags: SYN , seq:2401699874 ack:0, win:8760, tcplen:0
> [10/Sep/2004 19:36:29] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1499 -> 68.212.111.xxx:135, flags: SYN , seq:2401699874 ack:0, win:8760, tcplen:0
> [10/Sep/2004 19:36:32] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1499 -> 68.212.111.xxx:135, flags: SYN , seq:2401699874 ack:0, win:8760, tcplen:0
> <<snip>>
>
> I would have just thought regular worm activity if the ports 80, 1433, and 6129 wasn't tossed in the mix. But this isn't a port scan either I don't believe as the box continues to check port 135 on my computer. I haven't seen a scan like this from any other IP except this one. Anyone have any clues they might can add to this?
>
> --
> Chris Norton
> UAT Student Software Engineering Network Defense
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
Just to take a wild guess, I would think that this is probably a bot
scan, possibly from a tool/worm like the Gaobot/Phatbot strain. I
believe that this particular worm/bot scans for several attack
vectors, including those created by other worms.
There are more duplicated ports than just 135. And all of the ports
are common worm backdoor ports. Also, since the scan is sourced from
another system on the same subnet, it is likely that the "scanner" is
unaware of the infection.
--
Charlie Heselton
Network Security Engineer
More information about the Intrusions
mailing list