[Dshield] RedHat systems seem to originate a lot of port 1433 attacks

John Sage jsage at finchhaven.com
Sat May 25 04:34:50 GMT 2002


On Wed, May 22, 2002 at 01:35:03PM -0400, Jon R. Kibler wrote:
<snip>
> This seems consistent with what we have been seeing. At least half
of the systems hitting us (actually, all but a couple of the systems
where someone was willing to talk to us!) were RedHat Linux systems. 
<snip>

I have seen nothing of the sort.

Here's an example listing, from IP's posted to the list a day
ago. There's not a Red Hat box in the lot:


--20:41:12--  http://12.4.240.219/
           => `index.html'
Connecting to 12.4.240.219:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:40:56 GMT
4 Connection: Keep-Alive
5 Content-Length: 1270
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGQQGQVVG=ECFPEPPBKEEACMKKDAEKPFGJ; path=/
8 Cache-control: private
9 
200 OK


--20:41:13--  http://140.192.109.2/
           => `index.html'
Connecting to 140.192.109.2:80... connected!
HTTP request sent, awaiting response... 403 Access Forbidden
2 Server: Microsoft-IIS/4.0
3 Date: Fri, 24 May 2002 03:39:27 GMT
4 Content-Length: 526
5 Content-Type: text/html
6 
20:41:13 ERROR 403: Access Forbidden.


--20:41:13--  http://158.37.52.43/
           => `index.html'
Connecting to 158.37.52.43:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:35:18 GMT
4 Connection: Keep-Alive
5 Content-Length: 1270
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDQQQGGKVQ=NBONLJKAIGHKHBAMOFDDFNEO; path=/
8 Cache-control: private
9 
200 OK


--20:41:15--  http://196.34.53.251/
           => `index.html'
Connecting to 196.34.53.251:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:43:18 GMT
4 Connection: Keep-Alive
5 Content-Length: 4686
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGQQQGCCO=DJLDAAECCJBKNHPLGGPEAMNP; path=/
8 Cache-control: private
9 
200 OK


--20:41:17--  http://198.165.60.200/
           => `index.html'
Connecting to 198.165.60.200:80... connected!
HTTP request sent, awaiting response... 401 Access Denied
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:43:23 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 Content-Length: 4046
7 Content-Type: text/html
8 
Unknown authentication scheme.


--20:41:18--  http://202.125.137.71/
           => `index.html'
Connecting to 202.125.137.71:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 04:42:50 GMT
4 MicrosoftOfficeWebServer: 5.0_Collab
5 Connection: Keep-Alive
6 Content-Length: 1270
7 Content-Type: text/html
8 Set-Cookie: ASPSESSIONIDGGQQRJWQ=BMCEGECBNCIABHGHNKEGPKND; path=/
9 Cache-control: private
10 
200 OK


--20:41:19--  http://202.160.144.92/
           => `index.html'
Connecting to 202.160.144.92:80... connected!
HTTP request sent, awaiting response... 401 Access Denied
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:42:35 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 Content-Length: 4431
7 Content-Type: text/html
8 
Unknown authentication scheme.


--20:41:20--  http://202.62.64.249/
           => `index.html'
Connecting to 202.62.64.249:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Content-Location: http://202.62.64.249/Default.htm
4 Date: Fri, 24 May 2002 03:40:52 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Sun, 13 Oct 1996 20:08:00 GMT
8 ETag: "0507f3b42b9bb1:ee4"
9 Content-Length: 4051
10 
200 OK


--20:41:21--  http://202.88.237.211/
           => `index.html'
Connecting to 202.88.237.211:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Thu, 23 May 2002 15:50:46 GMT
4 Connection: Keep-Alive
5 Content-Length: 1270
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDQQQGGTWU=NOGNFGICEHKIFPLFMAECOLLC; path=/
8 Cache-control: private
9 
200 OK


--20:41:23--  http://203.235.138.9/
           => `index.html'
Connecting to 203.235.138.9:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Content-Location: http://203.235.138.9/Default.htm
4 Date: Fri, 24 May 2002 03:39:15 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Mon, 24 Sep 2001 11:25:35 GMT
8 ETag: "c06c2aa1eb44c11:171d"
9 Content-Length: 4131
10 
200 OK


--20:41:24--  http://203.237.139.237/
           => `index.html'
Connecting to 203.237.139.237:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:41:42 GMT
4 Connection: Keep-Alive
5 Content-Length: 17633
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDQGGGGARY=ONKFHANCIEKDLNIKGDEKCBOP; path=/
8 Cache-control: private
9 
200 OK


--20:41:25--  http://203.48.117.218/
           => `index.html'
Connecting to 203.48.117.218:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:40:53 GMT
4 Connection: Keep-Alive
5 Content-Length: 9375
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDQGQQQXQY=HDOPJDJBNCPBHAIELPNJBGMA; path=/
8 Cache-control: private
9 
200 OK


--20:44:38--  http://207.200.56.213/
           => `index.html'
Connecting to 207.200.56.213:80... connected!
HTTP request sent, awaiting response... 404 Object Not Found
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:42:23 GMT
4 Content-Type: text/html
5 Content-Length: 111
6 
20:44:39 ERROR 404: Object Not Found.


--20:44:39--  http://207.42.1.146/
           => `index.html'
Connecting to 207.42.1.146:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Date: Fri, 24 May 2002 03:46:08 GMT
4 Content-Type: text/html
5 Set-Cookie: ASPSESSIONIDQGQGGRNY=FKMBNNBCPIHGEDKNHIOHLNFP; path=/
6 Cache-control: private
7 
200 OK


--20:44:40--  http://207.97.136.74/
           => `index.html'
Connecting to 207.97.136.74:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:58:09 GMT
4 Connection: Keep-Alive
5 Content-Length: 3088
6 Content-Type: text/html
7 Expires: Fri, 24 May 2002 03:58:09 GMT
8 Set-Cookie: ASPSESSIONIDGQQGQJAC=OMNJCNNCKNLNINBDPKAMGOFP; path=/
9 Cache-control: private
10 
200 OK


--20:44:42--  http://208.23.197.10/
           => `index.html'
Connecting to 208.23.197.10:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 MicrosoftOfficeWebServer: 5.0_Pub
4 Content-Location: http://208.23.197.10/index.html
5 Date: Fri, 24 May 2002 03:47:54 GMT
6 Content-Type: text/html
7 Accept-Ranges: bytes
8 Last-Modified: Mon, 13 May 2002 11:55:57 GMT
9 ETag: "c0e6e2475fac11:58b7"
10 Content-Length: 6800
11 
200 OK


--20:44:43--  http://208.46.13.162/
           => `index.html'
Connecting to 208.46.13.162:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Date: Fri, 24 May 2002 03:31:01 GMT
4 Connection: Keep-Alive
5 Content-Length: 34
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGGQGGRZF=HAJLPJNCAFCMNBALPKNDNFAN; path=/
8 Cache-control: private
9 
200 OK


--20:44:46--  http://209.145.74.8/
           => `index.html'
Connecting to 209.145.74.8:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Date: Fri, 24 May 2002 03:49:57 GMT
4 Content-Type: text/html
5 Set-Cookie: ASPSESSIONIDQQQQQQBH=FIHDDMNCFEJAJGLBCCFPMEBA; path=/
6 Cache-control: private
7 
200 OK


--20:44:51--  http://209.151.244.144/
           => `index.html'
Connecting to 209.151.244.144:80... connected!
HTTP request sent, awaiting response... 403 Access Forbidden
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:42:31 GMT
4 Content-Type: text/html
5 Content-Length: 172
6 
20:44:51 ERROR 403: Access Forbidden.


--20:44:51--  http://209.251.226.148/
           => `index.html'
Connecting to 209.251.226.148:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:44:43 GMT
4 Connection: Keep-Alive
5 Content-Length: 1270
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGGGQQMPY=IDDCDNGAPPGBJGCOOOACAMAJ; path=/
8 Cache-control: private
9 
200 OK


--20:44:52--  http://209.52.93.251/
           => `index.html'
Connecting to 209.52.93.251:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Content-Location: http://209.52.93.251/Default.htm
4 Date: Fri, 24 May 2002 04:23:58 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Sat, 21 Oct 2000 02:32:41 GMT
8 ETag: "60e59e2f73bc01:da3"
9 Content-Length: 759
10 
200 OK


--20:44:53--  http://210.181.10.97/
           => `index.html'
Connecting to 210.181.10.97:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Date: Fri, 24 May 2002 03:44:29 GMT
3 Server: Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22
4 Last-Modified: Thu, 17 Jan 2002 09:23:41 GMT
5 ETag: "0-84b-3c46981d"
6 Accept-Ranges: bytes
7 Content-Length: 2123
8 Connection: close
9 Content-Type: text/html
10 
200 OK


--20:48:04--  http://211.104.246.7/
           => `index.html'
Connecting to 211.104.246.7:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Content-Location: http://211.104.246.7/intru.htm
4 Date: Fri, 24 May 2002 03:33:24 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Thu, 29 Nov 2001 14:51:54 GMT
8 ETag: "0219762e578c11:8f8"
9 Content-Length: 366
10 
200 OK


--20:48:05--  http://211.174.63.197/
           => `index.html'
Connecting to 211.174.63.197:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:42:12 GMT
4 Connection: Keep-Alive
5 Content-Length: 14768
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGGQQGBPC=MHNPIKGBACADDCCKKHNIOAAB; path=/
8 Cache-control: private
9 
200 OK


--20:48:06--  http://211.192.99.42/
           => `index.html'
Connecting to 211.192.99.42:80... connected!
HTTP request sent, awaiting response... 404 Object Not Found
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:42:00 GMT
4 Content-Type: text/html
5 Content-Length: 111
6 
20:48:07 ERROR 404: Object Not Found.


--20:48:07--  http://211.214.221.2/
           => `index.html'
Connecting to 211.214.221.2:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Content-Location: http://211.214.221.2/index.html
4 Date: Fri, 24 May 2002 03:45:14 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Thu, 23 May 2002 01:36:38 GMT
8 ETag: "097ed47fa1c21:998"
9 Content-Length: 11540
10 
200 OK


--20:51:17--  http://211.36.17.111/
           => `index.html'
Connecting to 211.36.17.111:80... connected!
HTTP request sent, awaiting response... 404 Object Not Found
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 04:02:45 GMT
4 Content-Type: text/html
5 Content-Length: 111
6 
20:51:28 ERROR 404: Object Not Found.


--20:51:28--  http://211.47.156.227/
           => `index.html'
Connecting to 211.47.156.227:80... connected!
HTTP request sent, awaiting response... 403 Access Forbidden
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:49:48 GMT
4 Content-Type: text/html
5 Content-Length: 172
6 
20:51:29 ERROR 403: Access Forbidden.


--20:51:29--  http://211.54.76.1/
           => `index.html'
Connecting to 211.54.76.1:80... connected!
HTTP request sent, awaiting response... 403 Access Forbidden
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 04:15:32 GMT
4 Content-Type: text/html
5 Content-Length: 172
6 
20:51:30 ERROR 403: Access Forbidden.


--20:51:30--  http://212.135.166.82/
           => `index.html'
Connecting to 212.135.166.82:80... connected!
HTTP request sent, awaiting response... 404 Object Not Found
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:55:17 GMT
4 Content-Type: text/html
5 Content-Length: 111
6 
20:51:31 ERROR 404: Object Not Found.


--20:54:46--  http://213.41.120.69/
           => `index.html'
Connecting to 213.41.120.69:80... connected!
HTTP request sent, awaiting response... 403 Access Forbidden
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:49:18 GMT
4 Content-Type: text/html
5 Content-Length: 172
6 
20:54:46 ERROR 403: Access Forbidden.


--20:54:47--  http://216.135.253.29/
           => `index.html'
Connecting to 216.135.253.29:80... connected!
HTTP request sent, awaiting response... 401 Access Denied
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 03:51:47 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 Content-Length: 3245
7 Content-Type: text/html
8 
Unknown authentication scheme.


--20:57:57--  http://216.29.34.62/
           => `index.html'
Connecting to 216.29.34.62:80... connected!
HTTP request sent, awaiting response... 302 Object moved
2 Content-Length: 135
3 Date: Fri, 24 May 2002 04:03:27 GMT
4 Location: localstart.asp
5 Content-Type: text/html
6 Server: Microsoft-IIS/5.0
7 Set-Cookie: ASPSESSIONIDGGQQRRDG=GFIBGAIDKJPKNMNKANEHFCFI; path=/
8 Cache-control: private
9 
Location: localstart.asp [following]
216.29.34.62/localstart.asp: Unknown/unsupported protocol.


--20:57:57--  http://216.68.57.58/
           => `index.html'
Connecting to 216.68.57.58:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 04:02:36 GMT
4 Connection: Keep-Alive
5 Content-Length: 1270
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDGQQGQHTY=CLBDNHKABFLFMJAEICHPJBGA; path=/
8 Cache-control: private
9 
200 OK


--21:04:23--  http://61.103.108.88/
           => `index.html'
Connecting to 61.103.108.88:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Sat, 25 May 2002 04:08:06 GMT
4 Connection: Keep-Alive
5 Content-Length: 1174
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDQGQGGJXK=EKLDLGNBPFCGNIOGNKLKENFO; path=/
8 Cache-control: private
9 
200 OK


--21:04:24--  http://61.222.39.162/
           => `index.html'
Connecting to 61.222.39.162:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Content-Location: http://61.222.39.162/Default.htm
4 Date: Fri, 24 May 2002 04:08:22 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Mon, 09 Jul 2001 06:53:48 GMT
8 ETag: "20df5ce7438c11:83f"
9 Content-Length: 3897
10 
200 OK


--21:04:25--  http://62.49.112.34/
           => `index.html'
Connecting to 62.49.112.34:80... connected!
HTTP request sent, awaiting response... 401 Access Denied
2 WWW-Authenticate: NTLM
3 Content-Length: 24
4 Content-Type: text/html
5 
Connecting to 62.49.112.34:80... connected!
HTTP request sent, awaiting response... 401 Access Denied
2 WWW-Authenticate: NTLM
3 Content-Length: 24
4 Content-Type: text/html
5 
Authorization failed.


--21:04:27--  http://63.101.74.200/
           => `index.html'
Connecting to 63.101.74.200:80... connected!
HTTP request sent, awaiting response... 404 Object Not Found
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 04:07:47 GMT
4 Content-Type: text/html
5 Content-Length: 111
6 
21:04:28 ERROR 404: Object Not Found.


--21:04:28--  http://63.146.69.111/
           => `index.html'
Connecting to 63.146.69.111:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Content-Location: http://63.146.69.111/Default.htm
4 Date: Fri, 24 May 2002 03:59:31 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Wed, 11 Jul 2001 03:08:58 GMT
8 ETag: "20c5e9d3b69c11:1759"
9 Content-Length: 7125
10 
200 OK


--21:07:37--  http://64.113.192.86/
           => `index.html'
Connecting to 64.113.192.86:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Content-Location: http://64.113.192.86/Default.htm
4 Date: Fri, 24 May 2002 04:07:57 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Sat, 31 Mar 2001 02:19:10 GMT
8 ETag: "c0707df888b9c01:8cf"
9 Content-Length: 1530
10 
200 OK


--21:07:38--  http://64.166.33.2/
           => `index.html'
Connecting to 64.166.33.2:80... 
Connection to 64.166.33.2:80 refused.
--21:07:38--  http://64.180.111.123/
           => `index.html'
Connecting to 64.180.111.123:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Date: Fri, 24 May 2002 04:07:49 GMT
4 Connection: Keep-Alive
5 Content-Length: 2020
6 Content-Type: text/html
7 Set-Cookie: ASPSESSIONIDQGGGQAQG=BDFLEONCBJNOAJDCEPHAFBGO; path=/
8 Cache-control: private
9 
200 OK


--21:07:39--  http://64.214.111.152/
           => `index.html'
Connecting to 64.214.111.152:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/5.0
3 Content-Location: http://64.214.111.152/Default.htm
4 Date: Fri, 24 May 2002 04:07:49 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Tue, 23 Mar 1999 22:54:15 GMT
8 ETag: "80c51e138075be1:23f2"
9 Content-Length: 3088
10 
200 OK


--21:12:54--  http://203.235.138.9/
           => `index.html'
Connecting to 203.235.138.9:80... connected!
HTTP request sent, awaiting response... 200 OK
2 Server: Microsoft-IIS/4.0
3 Content-Location: http://203.235.138.9/Default.htm
4 Date: Fri, 24 May 2002 04:10:46 GMT
5 Content-Type: text/html
6 Accept-Ranges: bytes
7 Last-Modified: Mon, 24 Sep 2001 11:25:35 GMT
8 ETag: "c06c2aa1eb44c11:171d"
9 Content-Length: 4131
10 
200 OK



- John
-- 
You simply can never have too many shells

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list