[Dshield] MS04-007 exploit

Joseph Stahley 3rd jestahley3 at cox.net
Sun Feb 15 03:24:11 GMT 2004


No port 80's last nite or the past 3 hours since the increase on 135 and
445..I'm still averaging 60 probes an hour as of 7:07 pm pst, notables now
are the fareast domains from china, tiawan, hong kong and korea..And with a
new twist being probed by cox.net's nameserver on ports 2181,2149,2195 AND
2134 (maybe there checking to see if I am still alive...lol)..

Here is what I am seeing..this is incoming only..

2/14/2004	5:01:46 PM	I	68.78.38.235		2813
ROUTER	135
2/14/2004	5:02:07 PM	I	68.78.38.235		3337
ROUTER	445
2/14/2004	5:03:25 PM	I	67.243.60.18
1cust18.tnt4.north-port.fl.da.uu.net	1352	ROUTER	445
2/14/2004	5:10:15 PM	I	68.148.163.115
h68-148-163-115.ed.shawcable.net	2840	ROUTER	445
2/14/2004	5:12:25 PM	I	61.223.149.24
61-223-149-24.hinet-ip.hinet.net	2155	ROUTER	445
2/14/2004	5:16:48 PM	I	200.51.70.251	1076820476
64333	ROUTER	445
2/14/2004	5:18:20 PM	I	213.151.103.202	!	2489
ROUTER	445
2/14/2004	5:21:13 PM	I	200.105.14.191	!	27888
ROUTER	1029
2/14/2004	5:21:46 PM	I	61.10.125.37
cm61-10-125-37.hkcable.com.hk	3833	ROUTER	1433
2/14/2004	5:22:17 PM	I	81.218.34.147
bzq-218-34-147.cablep.bezeqint.net	2953	ROUTER	445
2/14/2004	5:23:23 PM	I	68.251.36.140
ppp-68-251-36-140.dsl.chcgil.ameritech.net	1035	ROUTER	137
2/14/2004	5:24:10 PM	I	68.8.186.127
ip68-8-186-127.sd.sd.cox.net	2632	ROUTER	445
2/14/2004	5:25:07 PM	I	63.202.187.90
adsl-63-202-187-90.dsl.snfc21.pacbell.net	4484	ROUTER	445
2/14/2004	5:30:50 PM	I	68.23.218.229
adsl-68-23-218-229.dsl.wotnoh.ameritech.net	4670	ROUTER	135
2/14/2004	5:31:11 PM	I	68.23.218.229
adsl-68-23-218-229.dsl.wotnoh.ameritech.net	1286	ROUTER	445
2/14/2004	5:31:57 PM	I	68.145.64.66
h68-145-64-66.cg.shawcable.net	1182	ROUTER	445
2/14/2004	5:32:10 PM	I	67.250.79.150
2cust150.tnt9.krk1.da.uu.net	4553	ROUTER	135
2/14/2004	5:32:27 PM	I	214.64.151.116	!	9704
ROUTER	1026
2/14/2004	5:32:50 PM	I	214.29.106.21	!	22438
ROUTER	1027
2/14/2004	5:33:56 PM	I	68.76.107.12
adsl-68-76-107-12.dsl.bcvloh.ameritech.net	4395	ROUTER	135
2/14/2004	5:34:17 PM	I	68.76.107.12
adsl-68-76-107-12.dsl.bcvloh.ameritech.net	1993	ROUTER	445
2/14/2004	5:34:26 PM	I	68.8.61.32
ip68-8-61-32.sd.sd.cox.net	3027	ROUTER	445
2/14/2004	5:36:36 PM	I	202.194.124.133	!	220
ROUTER	6129
2/14/2004	5:38:28 PM	I	68.8.184.163
ip68-8-184-163.sd.sd.cox.net	1531	ROUTER	445
2/14/2004	5:38:36 PM	I	67.249.230.161
1cust161.tnt43.dca5.da.uu.net	3209	ROUTER	135
2/14/2004	5:38:37 PM	I	68.8.184.163
ip68-8-184-163.sd.sd.cox.net	1531	ROUTER	445
2/14/2004	5:38:42 PM	I	68.78.129.128
adsl-68-78-129-128.dsl.emhril.ameritech.net	2900	ROUTER	135
2/14/2004	5:39:02 PM	I	68.78.129.128
adsl-68-78-129-128.dsl.emhril.ameritech.net	3628	ROUTER	445
2/14/2004	5:39:38 PM	I	67.249.230.161
1cust161.tnt43.dca5.da.uu.net	4405	ROUTER	135
2/14/2004	5:41:17 PM	I	200.89.192.26	proxytemp	3539
ROUTER	445
2/14/2004	5:44:02 PM	I	68.20.6.187
ppp-68-20-6-187.dsl.emhril.ameritech.net	3313	ROUTER	135
2/14/2004	5:44:05 PM	I	68.20.6.187
ppp-68-20-6-187.dsl.emhril.ameritech.net	3313	ROUTER	135
2/14/2004	5:44:12 PM	I	24.173.35.180
rrcs-sw-24-173-35-180.biz.rr.com	9823	ROUTER	1026
2/14/2004	5:44:23 PM	I	68.20.6.187
ppp-68-20-6-187.dsl.emhril.ameritech.net	3858	ROUTER	445
2/14/2004	5:48:11 PM	I	24.73.68.206
rrcs-se-24-73-68-206.biz.rr.com	2330	ROUTER	135
2/14/2004	5:48:32 PM	I	24.73.68.206
rrcs-se-24-73-68-206.biz.rr.com	2866	ROUTER	445
2/14/2004	5:50:51 PM	I	68.77.101.190
adsl-68-77-101-190.dsl.lgtpmi.ameritech.net	3942	ROUTER	1434
2/14/2004	5:52:17 PM	I	212.90.254.234	proxyizomat	2168
ROUTER	445
2/14/2004	5:53:02 PM	I	66.120.161.80
adsl-66-120-161-80.dsl.sntc01.pacbell.net	60001	ROUTER	137
2/14/2004	5:54:37 PM	I	68.73.142.193
adsl-68-73-142-193.dsl.wotnoh.ameritech.net	2430	ROUTER	135
2/14/2004	5:54:58 PM	I	68.73.142.193
adsl-68-73-142-193.dsl.wotnoh.ameritech.net	4471	ROUTER	445
2/14/2004	5:58:20 PM	I	66.125.93.56
adsl-66-125-93-56.dsl.sntc01.pacbell.net	4048	ROUTER	445
2/14/2004	6:04:41 PM	I	68.8.184.78
ip68-8-184-78.sd.sd.cox.net	1872	ROUTER	445
2/14/2004	6:06:18 PM	I	210.216.236.160	!	2261
ROUTER	445
2/14/2004	6:07:22 PM	I	220.96.28.43
p6043-ipad67marunouchi.tokyo.ocn.ne.jp	1588	ROUTER	445
2/14/2004	6:08:21 PM	I	66.167.204.52
h-66-167-204-52.snvacaid.dynamic.covad.net	3414	ROUTER	135
2/14/2004	6:08:51 PM	I	201.4.86.72
user.72.86.4.201.dial-ip.telemar.net.br	1589	ROUTER	445
2/14/2004	6:09:13 PM	I	67.68.239.122
toronto-hse-ppp3784685.sympatico.ca	3231	ROUTER	135
2/14/2004	6:09:14 PM	I	68.8.231.92
ip68-8-231-92.sd.sd.cox.net	3037	ROUTER	445
2/14/2004	6:09:16 PM	I	67.68.239.122
toronto-hse-ppp3784685.sympatico.ca	3231	ROUTER	135
2/14/2004	6:09:18 PM	I	68.8.231.92
ip68-8-231-92.sd.sd.cox.net	3037	ROUTER	445
2/14/2004	6:09:22 PM	I	67.68.239.122
toronto-hse-ppp3784685.sympatico.ca	3231	ROUTER	135
2/14/2004	6:09:23 PM	I	68.8.231.92
ip68-8-231-92.sd.sd.cox.net	3048	ROUTER	445
2/14/2004	6:10:11 PM	I	68.20.215.238
adsl-68-20-215-238.dsl.chcgil.ameritech.net	4609	ROUTER	135
2/14/2004	6:10:32 PM	I	68.20.215.238
adsl-68-20-215-238.dsl.chcgil.ameritech.net	1260	ROUTER	445
2/14/2004	6:12:43 PM	I	68.23.102.203
adsl-68-23-102-203.dsl.emhril.ameritech.net	3254	ROUTER	135
2/14/2004	6:13:04 PM	I	68.23.102.203
adsl-68-23-102-203.dsl.emhril.ameritech.net	3692	ROUTER	445
2/14/2004	6:19:29 PM	I	68.8.231.92
ip68-8-231-92.sd.sd.cox.net	3037	ROUTER	445
2/14/2004	6:22:54 PM	I	68.94.120.55
adsl-68-94-120-55.dsl.hstntx.swbell.net	1150	ROUTER	445
2/14/2004	6:27:25 PM	I	24.190.150.67
ool-18be9643.dyn.optonline.net	2422	ROUTER	135
2/14/2004	6:30:24 PM	I	68.148.219.11
h68-148-219-11.ed.shawcable.net	2335	ROUTER	445
2/14/2004	6:32:21 PM	I	201.128.253.75
dsl-201-128-253-75.prod-infinitum.com.mx	4892	ROUTER	445
2/14/2004	6:33:43 PM	I	81.251.49.74
amontpellier-103-1-12-74.w81-251.abo.wanadoo.fr	2446	ROUTER	17300
2/14/2004	6:35:46 PM	I	219.128.14.34	yujun	4984
ROUTER	445
2/14/2004	6:35:48 PM	I	24.87.104.167
h24-87-104-167.vs.shawcable.net	4571	ROUTER	445
2/14/2004	6:35:56 PM	I	219.128.14.34	yujun	4984
ROUTER	445
2/14/2004	6:41:44 PM	I	218.18.44.84	!	3120
ROUTER	3127
2/14/2004	6:45:29 PM	I	68.8.91.254
ip68-8-91-254.sd.sd.cox.net	3161	ROUTER	445
2/14/2004	6:50:09 PM	I	210.58.150.28
210-58-150-28.cm.apol.com.tw	80	ROUTER	1038
2/14/2004	6:52:08 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2134
2/14/2004	6:55:18 PM	I	219.77.49.191
n219077049191.netvigator.com	3800	ROUTER	445
2/14/2004	6:56:10 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2134
2/14/2004	6:56:11 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	6:56:35 PM	I	68.8.94.42
ip68-8-94-42.sd.sd.cox.net	3736	ROUTER	445
2/14/2004	6:56:39 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	6:56:44 PM	I	68.8.94.42
ip68-8-94-42.sd.sd.cox.net	3736	ROUTER	445
2/14/2004	6:57:09 PM	I	24.26.1.205
205-1.26-24.tampabay.rr.com	2177	ROUTER	1433
2/14/2004	6:57:10 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2134
2/14/2004	6:57:12 PM	I	24.26.1.205
205-1.26-24.tampabay.rr.com	2177	ROUTER	1433
2/14/2004	6:57:12 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	6:58:10 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2134
2/14/2004	6:58:12 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	6:59:10 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2134
2/14/2004	6:59:12 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	7:00:33 PM	I	213.215.96.222	pc30-vm.mcrn.sk	4832
ROUTER	445
2/14/2004	7:00:43 PM	I	213.65.59.140
h140n2fls32o1117.telia.com	3757	ROUTER	445
2/14/2004	7:01:12 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	7:01:40 PM	I	63.52.23.187
pool-63.52.23.187.atln.grid.net	2996	ROUTER	135
2/14/2004	7:01:48 PM	I	4.5.112.74
wbar3.sea1-4-5-112-074.sea1.dsl-verizon.net	4670	ROUTER	135
2/14/2004	7:01:49 PM	I	63.52.23.187
pool-63.52.23.187.atln.grid.net	2996	ROUTER	135
2/14/2004	7:01:51 PM	I	4.5.112.74
wbar3.sea1-4-5-112-074.sea1.dsl-verizon.net	4670	ROUTER	135
2/14/2004	7:02:02 PM	I	63.52.23.187
pool-63.52.23.187.atln.grid.net	3358	ROUTER	445
2/14/2004	7:02:12 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2149
2/14/2004	7:03:31 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2181
2/14/2004	7:04:30 PM	I	203.162.152.176	!	2059
ROUTER	445
2/14/2004	7:04:36 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2181
2/14/2004	7:04:36 PM	I	203.162.152.176		2059
ROUTER	445
2/14/2004	7:04:37 PM	I	221.232.160.103	!	777
ROUTER	1026
2/14/2004	7:05:00 PM	I	203.162.152.176		2059
ROUTER	445
2/14/2004	7:05:32 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2181
2/14/2004	7:06:42 PM	I	219.133.253.30	!	1932
ROUTER	445
2/14/2004	7:06:47 PM	I	219.133.253.30		1932
ROUTER	445
2/14/2004	7:07:32 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2181
2/14/2004	7:10:13 PM	I	68.8.190.253
ip68-8-190-253.sd.sd.cox.net	3179	ROUTER	445
2/14/2004	7:10:32 PM	I	68.1.17.237	ns.cox.net	53
ROUTER	2181
2/14/2004	7:11:56 PM	I	68.8.190.253
ip68-8-190-253.sd.sd.cox.net	4901	ROUTER	445
2/14/2004	7:14:40 PM	I	61.141.112.196	!	4242
ROUTER	445
2/14/2004	7:15:12 PM	I	68.251.179.68
adsl-68-251-179-68.dsl.ipltin.ameritech.net	4094	ROUTER	135
2/14/2004	7:15:32 PM	I	68.251.179.68
adsl-68-251-179-68.dsl.ipltin.ameritech.net	4718	ROUTER	445

Joe

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Johannes B. Ullrich
Sent: Saturday, February 14, 2004 5:55 PM
To: General DShield Discussion List
Subject: RE: [Dshield] MS04-007 exploit


port 135/445 scans can also be due to MyDoom-B. Did you see port 80 from the
same sources?

It will require full packet captures to figure out which toy hit you.


On Sat, 2004-02-14 at 19:39, Joseph Stahley 3rd wrote:
> Hmm looks like I got hammered with this exploit last nite (2-13) 9pm 
> pst when I got a lot of probes from ports 135 and 445,averaged 400 
> probes per hour for about 3 hours then it died down to about 50, and 
> finally about 10am pst this morning it was down to 5 or 6 an hour. It 
> appeared mostly  from sites in asia (it would have been around 1pm or 2pm
in some parts of asia).
> 
> Curious thing I live in San Diego, CA and got a lot of probing from 
> Asia, was wondering if you east coast guys will get this from europe 
> based or asia based ip addresses.
> 
> Joe
> 
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On 
> Behalf Of Johannes B. Ullrich
> Sent: Saturday, February 14, 2004 4:23 PM
> To: list at dshield.org
> Subject: [Dshield] MS04-007 exploit
> 
> 
> just a quick note that a DOS exploit is out for the ASN vulnerability.
> Works nicely. More will be posted to the diary at http://isc.sans.org 
> shortly.
> 
> This is the last warning to patch your systems. The exploit is not far 
> from "running arbitrary code". Looks like so far its mostly targeting 
> port 445 tcp.
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm





More information about the list mailing list