[Dshield] Port 4460 from subnet 130.13.x.x

David Taylor ltr at isc.upenn.edu
Sun Nov 20 17:50:13 GMT 2005


I'm seeing some strange activity from subnet 130.13.x.x.  I have a LaBrea
Tarpit (Thanks Tom!) running in the 130.91.x.x range and am seeing
connections from various 130.13.x.x addresses.  All scans I am seeing with
the exception of one address is using 130.13.x.x. The scans hit two times to
port 445 and then hits port 4460.  In the last 24 hours I have logged 82
unique IP addresses.  Banners on four of the hosts that got tarpitted show
"Reptile welcomes you" so I am thinking someone may have either added a
'connect to' shell for port 4460 or maybe it is scanning for port 4460 for
some other reason.  

I'm trying to cap some packets but haven't had any luck yet.  I setup a
vulnerable honeypot which is allowing only traffic from the 130.13.x.x range
and hope to gain some more information.

Is anyone else seeing this kind of activity?


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshielders
http://freenode.net/





More information about the list mailing list