[unisog] Major campus-wide scans at UNC

Walter G. Aiello Walter.Aiello at Duke.edu
Fri Mar 1 19:01:41 GMT 2002


Greetings Jeff:

I have seen a similar set of portscans in our firewall logs,
but from different sources than yours:

63.237.175.52 (UNREGISTERED) Qwest Communications HelloNetwork.com, Inc.

213.237.0.71 71.ppp1-1.worldonline.dk 

213.237.71.207 213.237.71.207.adsl.vg.worldonline.dk

146.115.22.101 (UNREGISTERED) RCN Corporation 105 Carnegie Center
Princeton, NJ

211.177.141.25 (UNREGISTERED) HANANET-DONGJAK-KR HANARO Telecom SEOUL
(TWO occasions)

216.153.253.222 host-216-153-253-222.choiceone.net

212.143.35.68 ADSLP35-NV-p68.adsl.netvision.net.il

There have also been an unusually large number of FTP portscans
from Seoul, Korea in the last few days.

Such a list would usually include a pile of scans from France
Telcom's Wanadoo, but I have blocked all incoming packets from
them, and they do not show up in my logs as often as previously.
For your information, an updated list of Wanadoo sources:
80.9.0.0/16            193.252.0.0/16 except for:
80.11.0.0/16                193.252.4.0/24               
80.12.0.0/19                192.252.16.0/24
80.12.32.0/20               192.252.17.0/24
80.12.48.0/23               192.252.18.0/24
80.12.128.0/20              193.252.64.0/19
80.12.144.0/22              193.252.96.0/21
80.12.148.0/23              193.252.112.0/20
80.13.0.0/16                193.252.150.0/23
80.14.0.0/16                193.252.152.0/21
193.248.0.0/16              193.252.160.0/22
193.249.0.0/17              193.252.224.0/19
193.249.160.0/19            
193.249.224.0/19
193.250.0.0/16        193.253.0.0/16 except for:
193.251.0.0/18              193.253.0.0/20
193.251.64.0/19             193.253.64.0/18
193.251.176.0/20           
217.128.0.0/16

Best regards to you,
Walter G. Aiello

-- 
Dr. Walter G. Aiello
Manager, Network and Information Services
Magnetic Resonance Research Section
Box 3808, Department of Radiology
Duke University Medical Center

Walter.Aiello at Duke.edu
(919) 684 7519

Jeff Bollinger wrote:
> 
> Has anyone else seen a major scan coming across their networks on a
> *large* number of ports?  We're seeing ports
> 
> 20
>  > 21
>  > 22
>  > 23
>  > 25
>  > 43
>  > 49
>  > 53
>  > 69
>  > 70
>  > 79
>  > 80
>  > 101
>  > 110
>  > 111
>  > 117
>  > 118
>  > 119
>  > 137
>  > 139
>  > 143
>  > 161
>  > 162
>  > 194
>  > 220
>  > 443
>  > 445
>  > 513
>  > 515
>  > 1080
>  > 1433
>  > 2049
>  > 3306
>  > 3389
>  > 5631
>  > 6000
>  > 8000
>  > 34567
> 
> This scan has locked out a lot of accounts across campus (including some
> PDCs), and we're seeing the scans coming from these IPs:
> 
> 165.194.14.133
>  > 202.56.228.2
>  > 202.56.228.3
>  > 202.56.228.4
>  > 202.56.228.5
>  > 203.199.121.4
>  > 203.199.121.6
>  > 210.68.146.225
>  > 210.69.151.10
>  > 210.69.30.2
>  > 63.120.163.97
> 
> It looks like an insane Nessus scan that's causing a DDoS because we
> haven't seen any major compromises.  We are also wondering if this may
> be a "smokescreen" because we have all these boxes trying so many
> different exploits on the same systems?
> 
> Thanks,
> Jeff
> 
> --
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc dot edu



More information about the unisog mailing list