[Dshield] Port 4460 from subnet 130.13.x.x
ltr at isc.upenn.edu
Sun Nov 20 17:50:13 GMT 2005
I'm seeing some strange activity from subnet 130.13.x.x. I have a LaBrea
Tarpit (Thanks Tom!) running in the 130.91.x.x range and am seeing
connections from various 130.13.x.x addresses. All scans I am seeing with
the exception of one address is using 130.13.x.x. The scans hit two times to
port 445 and then hits port 4460. In the last 24 hours I have logged 82
unique IP addresses. Banners on four of the hosts that got tarpitted show
"Reptile welcomes you" so I am thinking someone may have either added a
'connect to' shell for port 4460 or maybe it is scanning for port 4460 for
some other reason.
I'm trying to cap some packets but haven't had any luck yet. I setup a
vulnerable honeypot which is allowing only traffic from the 130.13.x.x range
and hope to gain some more information.
Is anyone else seeing this kind of activity?
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
SANS - The Twenty Most Critical Internet Security Vulnerabilities
SANS - Internet Storm Center
More information about the list