[unisog] Unusual volume: UDP:137 probes

Peter Van Epp vanepp at sfu.ca
Mon Sep 30 21:58:32 GMT 2002


	An interesting picture. A perl script scanned the argus logs for port
137 udp scans starting on Tuesday (to get the base line) continuing through
yesterday. Then did a head -100 on the files and chopped out the middle.
Whats left is a picture of how the worm is spreading. Note the constant rise
in the number of machines scanned by the 100th machine and the buildup 
starting Thursday. Note an apparant limit of ~2000 hosts per scan and/or a 
time limit on the scan before presumably going somewhere else (this also
whacked a compromised machine that was doing a manual 137 scan that doesn't
look to be worm related :-)):

From: Tue 09/24 00:00:56 To: Tue 09/24 23:59:19

168.143.120.243 scanned 435 hosts from Tue 09/24 01:51:48 to Tue 09/24 21:22:46
137.82.179.93 scanned 344 hosts from Tue 09/24 15:35:16 to Tue 09/24 15:35:16
63.242.133.66 scanned 254 hosts from Tue 09/24 00:09:20 to Tue 09/24 00:09:20
206.12.17.130 scanned 138 hosts from Tue 09/24 17:32:12 to Tue 09/24 21:15:52
...
62.59.139.9 scanned 3 hosts from Tue 09/24 11:34:18 to Tue 09/24 11:34:18

From: Wed 09/25 00:03:56 To: Wed 09/25 23:59:57

62.139.114.151 scanned 254 hosts from Wed 09/25 19:03:29 to Wed 09/25 19:10:20
206.12.17.130 scanned 143 hosts from Wed 09/25 00:09:41 to Wed 09/25 23:40:20
142.104.196.131 scanned 124 hosts from Wed 09/25 00:11:50 to Wed 09/25 23:49:53
64.180.240.30 scanned 61 hosts from Wed 09/25 16:36:10 to Wed 09/25 23:57:47
...
207.71.92.221 scanned 3 hosts from Wed 09/25 12:36:59 to Wed 09/25 15:15:47


From: Thu 09/26 00:00:36 To: Thu 09/26 23:58:12

64.180.240.30 scanned 1794 hosts from Thu 09/26 00:00:36 to Thu 09/26 22:26:27
198.107.26.157 scanned 512 hosts from Thu 09/26 14:43:53 to Thu 09/26 14:46:03
130.94.247.48 scanned 213 hosts from Thu 09/26 16:33:07 to Thu 09/26 16:33:32
165.247.222.65 scanned 145 hosts from Thu 09/26 18:31:40 to Thu 09/26 20:31:24
165.247.221.78 scanned 144 hosts from Thu 09/26 15:49:34 to Thu 09/26 16:34:59
206.12.17.130 scanned 142 hosts from Thu 09/26 00:04:41 to Thu 09/26 23:51:22
142.104.196.131 scanned 131 hosts from Thu 09/26 00:23:54 to Thu 09/26 23:55:33
...
142.177.105.55 scanned 2 hosts from Thu 09/26 15:10:17 to Thu 09/26 15:08:55

From: Fri 09/27 00:03:38 To: Fri 09/27 23:52:16

217.125.79.93 scanned 1536 hosts from Fri 09/27 11:53:03 to Fri 09/27 11:57:47
218.233.173.169 scanned 1280 hosts from Fri 09/27 21:35:47 to Fri 09/27 21:38:55
61.180.68.12 scanned 1280 hosts from Fri 09/27 20:13:14 to Fri 09/27 20:17:01
80.98.50.68 scanned 1279 hosts from Fri 09/27 08:56:05 to Fri 09/27 08:59:46
142.59.209.9 scanned 1275 hosts from Fri 09/27 11:44:14 to Fri 09/27 11:47:36
217.216.204.98 scanned 1242 hosts from Fri 09/27 11:41:34 to Fri 09/27 11:44:29
212.187.35.100 scanned 1181 hosts from Fri 09/27 12:46:12 to Fri 09/27 12:49:48
218.54.89.207 scanned 1155 hosts from Fri 09/27 18:31:31 to Fri 09/27 18:34:27
...
210.66.23.94 scanned 218 hosts from Fri 09/27 22:09:57 to Fri 09/27 22:10:34

From: Sat 09/28 00:02:58 To: Sat 09/28 23:59:32

211.229.138.44 scanned 1536 hosts from Sat 09/28 11:19:55 to Sat 09/28 11:24:09
218.237.80.13 scanned 1368 hosts from Sat 09/28 18:25:35 to Sat 09/28 18:29:18
200.48.52.241 scanned 1361 hosts from Sat 09/28 20:18:46 to Sat 09/28 20:22:20
161.132.226.18 scanned 1288 hosts from Sat 09/28 12:52:35 to Sat 09/28 12:56:14
61.146.48.212 scanned 1278 hosts from Sat 09/28 20:48:44 to Sat 09/28 20:52:33
...
213.98.212.155 scanned 633 hosts from Sat 09/28 17:27:33 to Sat 09/28 17:29:13

From: Sun 09/29 00:03:06 To: Mon 09/30 00:00:03

61.156.142.133 scanned 2044 hosts from Sun 09/29 21:36:54 to Sun 09/29 21:38:45
61.216.137.28 scanned 2035 hosts from Sun 09/29 20:51:13 to Sun 09/29 20:53:11
216.38.223.42 scanned 2002 hosts from Sun 09/29 10:04:41 to Sun 09/29 10:06:33
212.55.169.131 scanned 1998 hosts from Sun 09/29 08:22:12 to Sun 09/29 08:27:18
62.47.4.1 scanned 1536 hosts from Sun 09/29 22:58:43 to Sun 09/29 23:02:27
...
61.63.51.154 scanned 755 hosts from Sun 09/29 01:48:57 to Sun 09/29 01:51:11

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list