[Dshield] Roadrunner (Long post, apologies)

Peter Street peter.street at lazerfx.co.uk
Mon Oct 29 10:03:45 GMT 2001


Sure thing.  I did a quick grep-for-NT of the file, and produced this
output:

ZALog.txt:FWIN,2001/10/28,19:38:24 +0:00
GMT,65.34.72.90:4403,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,19:38:42 +0:00
GMT,65.34.72.90:1200,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,19:40:35 +0:00
GMT,65.34.72.90:3906,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:00:16 +0:00
GMT,65.34.72.90:1341,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:00:37 +0:00
GMT,65.34.72.90:2239,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:01:47 +0:00
GMT,65.34.72.90:3278,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:06:02 +0:00
GMT,65.34.72.90:4819,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:11:44 +0:00
GMT,65.34.72.90:4374,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:14:56 +0:00
GMT,65.34.72.90:2905,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:15:27 +0:00
GMT,65.34.72.90:3543,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:15:44 +0:00
GMT,65.34.72.90:2371,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:16:15 +0:00
GMT,65.34.72.90:1281,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:16:39 +0:00
GMT,65.34.72.90:4524,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:17:00 +0:00
GMT,65.34.72.90:2074,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:17:33 +0:00
GMT,65.34.72.90:4597,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:18:00 +0:00
GMT,65.34.72.90:1979,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:18:30 +0:00
GMT,65.34.72.90:1173,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:18:57 +0:00
GMT,65.34.72.90:1428,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:19:32 +0:00
GMT,65.34.72.90:2978,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:20:02 +0:00
GMT,65.34.72.90:3547,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:21:04 +0:00
GMT,65.34.72.90:3765,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:21:32 +0:00
GMT,65.34.72.90:1044,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:22:00 +0:00
GMT,65.34.72.90:1860,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:22:31 +0:00
GMT,65.34.72.90:1881,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:23:17 +0:00
GMT,65.34.72.90:1136,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:23:33 +0:00
GMT,65.34.72.90:2308,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:23:51 +0:00
GMT,65.34.72.90:4755,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:24:07 +0:00
GMT,65.34.72.90:1987,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:24:48 +0:00
GMT,65.34.72.90:3132,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:25:57 +0:00
GMT,65.34.72.90:4158,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:26:34 +0:00
GMT,65.34.72.90:2443,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:27:04 +0:00
GMT,65.34.72.90:2324,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:27:19 +0:00
GMT,65.34.72.90:2052,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:28:01 +0:00
GMT,65.34.72.90:1513,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:28:26 +0:00
GMT,65.34.72.90:1060,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:28:52 +0:00
GMT,65.34.72.90:4655,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:29:21 +0:00
GMT,65.34.72.90:2162,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:29:52 +0:00
GMT,65.34.72.90:3407,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:30:17 +0:00
GMT,65.34.72.90:2887,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:30:40 +0:00
GMT,65.34.72.90:1849,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:31:04 +0:00
GMT,65.34.72.90:3276,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:31:35 +0:00
GMT,65.34.72.90:4906,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:31:59 +0:00
GMT,65.34.72.90:1031,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:32:40 +0:00
GMT,65.34.72.90:4439,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:33:18 +0:00
GMT,65.34.72.90:4802,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:33:48 +0:00
GMT,65.34.72.90:4254,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:34:46 +0:00
GMT,65.34.72.90:2168,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:36:14 +0:00
GMT,65.34.72.90:3017,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:36:41 +0:00
GMT,65.34.72.90:1120,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:36:57 +0:00
GMT,65.34.72.90:1830,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:37:22 +0:00
GMT,65.34.72.90:4755,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:37:37 +0:00
GMT,65.34.72.90:1596,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:38:22 +0:00
GMT,65.34.72.90:4138,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:40:14 +0:00
GMT,65.34.72.90:2788,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:40:35 +0:00
GMT,65.34.72.90:1532,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:43:34 +0:00
GMT,65.34.72.90:2242,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:43:54 +0:00
GMT,65.34.72.90:3946,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:45:47 +0:00
GMT,65.34.72.90:1181,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:46:03 +0:00
GMT,65.34.72.90:3351,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:46:27 +0:00
GMT,65.34.72.90:2166,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:46:47 +0:00
GMT,65.34.72.90:1541,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:48:01 +0:00
GMT,65.34.72.90:4922,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:50:27 +0:00
GMT,65.34.72.90:1925,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,20:58:28 +0:00
GMT,65.34.72.90:4568,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:00:10 +0:00
GMT,65.34.72.90:3070,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:00:51 +0:00
GMT,65.34.72.90:1793,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:01:31 +0:00
GMT,65.34.72.90:4753,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:03:33 +0:00
GMT,65.34.72.90:2421,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:12:36 +0:00
GMT,65.34.72.90:2607,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:31:07 +0:00
GMT,65.34.72.90:1641,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,21:33:25 +0:00
GMT,65.34.72.90:2623,213.105.159.132:6346,TCP (flags:S)
ZALog.txt:FWIN,2001/10/28,22:31:17 +0:00
GMT,65.34.72.90:2117,213.105.159.132:6346,TCP (flags:S)

Hope it means something to someone... It's the first 'true' attack I've
had (Other than the spoof HackerWhacker someone stuck me into some time
ago)

Peter Street
Web Developer / Manager
LazerFX Productions
www.lazerfx.co.uk (Under Construction)


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of Johannes B. Ullrich
Sent: 29 October 2001 02:59
To: dshield at dshield.org
Subject: Re: [Dshield] Roadrunner

These ports do not ring a bell. Sometimes, tools are probing for known 
trojan ports and try to take the machines over (e.g. like 'Leaves' or 
'Easyspeed').

I don't see any of the known trojan ports in your list. So it may be 
interesting to see a complete scan.

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System





More information about the list mailing list