[Dshield] Port 10/tcp scans

John Sage jsage at finchhaven.com
Thu Dec 11 18:08:24 GMT 2003


Ken:

On Thu, Dec 11, 2003 at 11:07:28AM -0500, Ken Eichman wrote:
> Date: Thu, 11 Dec 2003 11:07:28 -0500 (EST)
> From: Ken Eichman <keichman at cas.org>
> To: list at dshield.org
> Old-X-Envelope-To: list at dshield.org
> Subject: [Dshield] Port 10/tcp scans
> 
> I posted this message about an hour ago .. hasn't made it through to the
> list yet. I just grabbed the following message sent by one of the probing
> hosts:
> 
> 	"PRIVMSG #ddos# :Found port 10 open at ip:134.243.55.25"
> 
> Where 134.243.55.25 is the address of a honeypot I set up:
> 
> 12/11-15:39:14.266003 68.99.102.105:21910 -> 134.243.55.25:10
> TCP TTL:106 TOS:0x0 ID:21383 IpLen:20 DgmLen:95 DF
> ***AP*** Seq: 0xDC77C8D6  Ack: 0x3CE5EE8B  Win: 0x40B0  TcpLen: 20
> 50 52 49 56 4D 53 47 20 23 64 64 6F 73 23 20 3A  PRIVMSG #ddos# :
> 46 6F 75 6E 64 20 70 6F 72 74 20 31 30 20 6F 70  Found port 10 op
> 65 6E 20 61 74 20 69 70 3A 31 33 34 2E 32 34 33  en at ip:134.243
> 2E 35 35 2E 32 35 0A                             .55.25.
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 12/11-15:39:14.270540 68.99.102.105:21910 -> 134.243.55.25:10
> TCP TTL:106 TOS:0x0 ID:21384 IpLen:20 DgmLen:40 DF
> ***A***F Seq: 0xDC77C90D  Ack: 0x3CE5EE8B  Win: 0x40B0  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


huh..

I wondered about the fact that, below, you seem to be sending back
ACK's -- whatever is out there is sending *you* ACK/FIN's and ACK's --
which suggests that you've got something listening and responding on
TCP:10.

Was the host on your end, below, the honeypot you mention above?


> > Starting around 00 GMT today my network began getting a lot of port 10/tcp
> > scans. This is a new one for me. So far all I've been able to capture are
> > empty packets, eg:
> >
> > 12/11-15:01:39.724609 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
> > TCP TTL:114 TOS:0x0 ID:11835 IpLen:20 DgmLen:48 DF
> > ******S* Seq: 0x25A5BE86  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
> > TCP Options (4) => MSS: 1460 NOP NOP SackOK
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 12/11-15:01:41.014175 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
> > TCP TTL:114 TOS:0x0 ID:11853 IpLen:20 DgmLen:40 DF
> > ***A***F Seq: 0x25A5BE87  Ack: 0x38E44CF6  Win: 0xFD5C  TcpLen: 20
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > 12/11-15:01:41.085775 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
> > TCP TTL:114 TOS:0x0 ID:11854 IpLen:20 DgmLen:40 DF
> > ***A**** Seq: 0x25A5BE88  Ack: 0x38E44CF7  Win: 0xFD5C  TcpLen: 20
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> >
> > Sources are mostly DSL/cablemodem networks - lots of Comcast; sources don't
> > appear to be spoofed addresses. Maybe a botnet?



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list