[Dshield] Port 10/tcp scans

Ken Eichman keichman at cas.org
Thu Dec 11 16:07:28 GMT 2003


I posted this message about an hour ago .. hasn't made it through to the
list yet. I just grabbed the following message sent by one of the probing
hosts:

	"PRIVMSG #ddos# :Found port 10 open at ip:134.243.55.25"

Where 134.243.55.25 is the address of a honeypot I set up:

12/11-15:39:14.266003 68.99.102.105:21910 -> 134.243.55.25:10
TCP TTL:106 TOS:0x0 ID:21383 IpLen:20 DgmLen:95 DF
***AP*** Seq: 0xDC77C8D6  Ack: 0x3CE5EE8B  Win: 0x40B0  TcpLen: 20
50 52 49 56 4D 53 47 20 23 64 64 6F 73 23 20 3A  PRIVMSG #ddos# :
46 6F 75 6E 64 20 70 6F 72 74 20 31 30 20 6F 70  Found port 10 op
65 6E 20 61 74 20 69 70 3A 31 33 34 2E 32 34 33  en at ip:134.243
2E 35 35 2E 32 35 0A                             .55.25.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/11-15:39:14.270540 68.99.102.105:21910 -> 134.243.55.25:10
TCP TTL:106 TOS:0x0 ID:21384 IpLen:20 DgmLen:40 DF
***A***F Seq: 0xDC77C90D  Ack: 0x3CE5EE8B  Win: 0x40B0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

> Starting around 00 GMT today my network began getting a lot of port 10/tcp
> scans. This is a new one for me. So far all I've been able to capture are
> empty packets, eg:
>
> 12/11-15:01:39.724609 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
> TCP TTL:114 TOS:0x0 ID:11835 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x25A5BE86  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/11-15:01:41.014175 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
> TCP TTL:114 TOS:0x0 ID:11853 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0x25A5BE87  Ack: 0x38E44CF6  Win: 0xFD5C  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 12/11-15:01:41.085775 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
> TCP TTL:114 TOS:0x0 ID:11854 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x25A5BE88  Ack: 0x38E44CF7  Win: 0xFD5C  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> Sources are mostly DSL/cablemodem networks - lots of Comcast; sources don't
> appear to be spoofed addresses. Maybe a botnet?

Ken Eichman                 Senior Scientist
Chemical Abstracts Service  IT Information Security
2540 Olentangy River Road   614-447-3600 ext. 3230
Columbus, OH 43210          keichman at cas.org




More information about the list mailing list