[unisog] Major campus-wide scans at UNC
David Staggs
dstaggs at vumclib.mc.vanderbilt.edu
Fri Mar 1 21:07:38 GMT 2002
Agree with the Wannado block. I got tired of seeing their scans filling
up my logs. What would be a good idea is have a site where people could
register known problem networks for all to review and take appropriate
action if desired. ISP's seem to ignore reports of their users scanning
our networks. Maybe if there was an unified block by Universities, they
would start to listen to complaints and take action.
Thoughts??
Regards,
On Fri, 1 Mar 2002, Walter G. Aiello wrote:
> Date: Fri, 01 Mar 2002 14:01:41 -0500
> From: Walter G. Aiello <Walter.Aiello at Duke.edu>
> To: jeff_bollinger at unc.edu
> Cc: unisog at sans.org, Security <security at unc.edu>, security at Duke.edu
> Subject: Re: [unisog] Major campus-wide scans at UNC
>
> Greetings Jeff:
>
> I have seen a similar set of portscans in our firewall logs,
> but from different sources than yours:
>
> 63.237.175.52 (UNREGISTERED) Qwest Communications HelloNetwork.com, Inc.
>
> 213.237.0.71 71.ppp1-1.worldonline.dk
>
> 213.237.71.207 213.237.71.207.adsl.vg.worldonline.dk
>
> 146.115.22.101 (UNREGISTERED) RCN Corporation 105 Carnegie Center
> Princeton, NJ
>
> 211.177.141.25 (UNREGISTERED) HANANET-DONGJAK-KR HANARO Telecom SEOUL
> (TWO occasions)
>
> 216.153.253.222 host-216-153-253-222.choiceone.net
>
> 212.143.35.68 ADSLP35-NV-p68.adsl.netvision.net.il
>
> There have also been an unusually large number of FTP portscans
> from Seoul, Korea in the last few days.
>
> Such a list would usually include a pile of scans from France
> Telcom's Wanadoo, but I have blocked all incoming packets from
> them, and they do not show up in my logs as often as previously.
> For your information, an updated list of Wanadoo sources:
> 80.9.0.0/16 193.252.0.0/16 except for:
> 80.11.0.0/16 193.252.4.0/24
> 80.12.0.0/19 192.252.16.0/24
> 80.12.32.0/20 192.252.17.0/24
> 80.12.48.0/23 192.252.18.0/24
> 80.12.128.0/20 193.252.64.0/19
> 80.12.144.0/22 193.252.96.0/21
> 80.12.148.0/23 193.252.112.0/20
> 80.13.0.0/16 193.252.150.0/23
> 80.14.0.0/16 193.252.152.0/21
> 193.248.0.0/16 193.252.160.0/22
> 193.249.0.0/17 193.252.224.0/19
> 193.249.160.0/19
> 193.249.224.0/19
> 193.250.0.0/16 193.253.0.0/16 except for:
> 193.251.0.0/18 193.253.0.0/20
> 193.251.64.0/19 193.253.64.0/18
> 193.251.176.0/20
> 217.128.0.0/16
>
> Best regards to you,
> Walter G. Aiello
>
> --
> Dr. Walter G. Aiello
> Manager, Network and Information Services
> Magnetic Resonance Research Section
> Box 3808, Department of Radiology
> Duke University Medical Center
>
> Walter.Aiello at Duke.edu
> (919) 684 7519
>
> Jeff Bollinger wrote:
> >
> > Has anyone else seen a major scan coming across their networks on a
> > *large* number of ports? We're seeing ports
> >
> > 20
> > > 21
> > > 22
> > > 23
> > > 25
> > > 43
> > > 49
> > > 53
> > > 69
> > > 70
> > > 79
> > > 80
> > > 101
> > > 110
> > > 111
> > > 117
> > > 118
> > > 119
> > > 137
> > > 139
> > > 143
> > > 161
> > > 162
> > > 194
> > > 220
> > > 443
> > > 445
> > > 513
> > > 515
> > > 1080
> > > 1433
> > > 2049
> > > 3306
> > > 3389
> > > 5631
> > > 6000
> > > 8000
> > > 34567
> >
> > This scan has locked out a lot of accounts across campus (including some
> > PDCs), and we're seeing the scans coming from these IPs:
> >
> > 165.194.14.133
> > > 202.56.228.2
> > > 202.56.228.3
> > > 202.56.228.4
> > > 202.56.228.5
> > > 203.199.121.4
> > > 203.199.121.6
> > > 210.68.146.225
> > > 210.69.151.10
> > > 210.69.30.2
> > > 63.120.163.97
> >
> > It looks like an insane Nessus scan that's causing a DDoS because we
> > haven't seen any major compromises. We are also wondering if this may
> > be a "smokescreen" because we have all these boxes trying so many
> > different exploits on the same systems?
> >
> > Thanks,
> > Jeff
> >
> > --
> > Jeff Bollinger
> > University of North Carolina
> > IT Security Analyst
> > 105 Abernethy Hall
> > mailto: jeff_bollinger at unc dot edu
>
More information about the unisog
mailing list