[unisog] Previous Thread on Increased Probes

Peter Van Epp vanepp at sfu.ca
Fri Jul 23 18:15:17 GMT 2004


	My bet would be this is spam zombie control traffic or scans for 
zombies. A number of the infected machines here have been accessed at odd 
hours for about an hour to spam via skybot or beagle (don't keep up on these
silly PC viruses, just whack them ...). As a result argus is looking for our
IPs emailing more than 100 hosts in any given hour and flags them for whacking.
In many cases the apparant control channel for the spam is port 113. A couple
of hours before a Russian site probes 113 on the host once, and a few hours
later someone else from somewhere else connects and spams for 20 to 40 minutes
and then departs. I'm assuming the Russian site is selling the IP of the 
infected host to the spammer (but content my self with whacking our infected
host). I believe this has mostly been identified as skybot but the names seem
to change depending on what AV package the user is using (the ubiquitious 
"none previously" having the most market share). There is another common 
control port but I don't off the top remember what it is (perhaps 1026).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Fri, Jul 23, 2004 at 12:45:57PM -0500, Glenn Forbes Fleming Larratt wrote:
> We have noted huge volumes of identd traffic - a  summary report
> covering a period of 30 minutes is appended below.
> 
> You can imagine how frustrating it is to me that my management won't
> even discuss a response, and appear content to just let it happen.
> 
> 	-g
> 
> On Fri, 23 Jul 2004, Lois Lehman wrote:
> 
> > Sorry to bring this up again but a colleague at another university has
> > asked me if anyone has seen a recent flood of attacks on their address
> > space similar to what he experienced a couple of weeks ago.  I remember
> > there was some talk, maybe on this list, about seeing incoming packets
> > from many sources with numbers near a thousand.  But in cleaning out my
> > Inbox after a vacation, I must have deleted that information.
> > 
> > Here is a sample of some of the traffic from one source found in his
> > logs:
> > 
> > Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > 
> > 
> > Is this what others were seeing, an attack on port 23?  Has anyone
> > determined the purpose of this flood?
> > 
> > Thanks!
> > 
> > Lois Lehman
> > College Network Security Manager
> > Physical Sciences Computer Support Manager
> > College of Liberal Arts & Sciences
> > Arizona State University
> > 480-965-3139
> > 
> > 
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> > 
> Date: Fri, 23 Jul 2004 11:35:53 -0500 (CDT)
> From: 
> To: 
> Subject: (snort attack watch): summary report
> 
> 
> Since Jul 23 11:06:28 :
> 
>  notifications:
> 61.110.247.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 211.172.57.99 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
> 201.254.148.62 TCP 113 permit: 50 hits, 22 uniques, 22 src ports
> 61.155.84.29 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 219.255.68.172 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 221.138.9.164 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 65.95.254.138 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 61.105.254.32 TCP 113 permit: 64 hits, 32 uniques, 32 src ports
> 65.92.156.111 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
> 210.219.180.100 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 61.75.136.99 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
> 211.213.125.183 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
> 210.122.224.83 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> 221.146.109.184 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> 64.230.172.167 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> 211.209.62.164 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> 211.204.130.185 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 61.98.91.43 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
> 65.95.127.216 TCP 113 permit: 54 hits, 27 uniques, 27 src ports
> 211.224.17.202 TCP 113 permit: 80 hits, 39 uniques, 39 src ports
> 81.202.83.33 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 61.254.135.218 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
> 211.190.175.3 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 221.162.127.245 TCP 113 permit: 86 hits, 41 uniques, 41 src ports
> 65.220.125.76 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> 61.111.239.218 TCP 113 permit: 84 hits, 39 uniques, 39 src ports
> 64.229.30.125 TCP 113 permit: 68 hits, 34 uniques, 33 src ports
> 69.156.96.106 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
> 201.254.148.63 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 220.86.11.202 TCP 113 permit: 52 hits, 22 uniques, 22 src ports
> 65.94.41.121 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> 218.50.48.213 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 24.100.182.172 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> 67.70.112.119 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 211.211.41.70 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
> 219.241.200.50 TCP 113 permit: 74 hits, 34 uniques, 34 src ports
> 211.212.199.250 TCP 113 permit: 70 hits, 31 uniques, 31 src ports
> 65.78.21.3 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> 211.212.60.199 TCP 113 permit: 70 hits, 33 uniques, 33 src ports
> 69.158.14.114 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
> 210.114.243.5 TCP 113 permit: 54 hits, 26 uniques, 25 src ports
> 65.95.1.67 TCP 113 permit: 70 hits, 33 uniques, 32 src ports
> 222.232.159.199 TCP 113 permit: 64 hits, 30 uniques, 30 src ports
> 67.52.51.206 TCP 113 permit: 70 hits, 32 uniques, 32 src ports
> 69.158.166.104 TCP 113 permit: 70 hits, 34 uniques, 34 src ports
> 211.49.135.28 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
> 218.69.61.239 TCP 113 permit: 48 hits, 24 uniques, 23 src ports
> 4.26.253.85 TCP 113 permit: 42 hits, 21 uniques, 20 src ports
> 64.229.148.21 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
> 221.152.77.68 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
> 211.178.247.87 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 218.158.136.153 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> 210.205.183.141 TCP 113 permit: 74 hits, 37 uniques, 37 src ports
> 211.236.217.17 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> 218.237.92.203 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
> 211.200.86.113 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 211.49.209.182 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> 216.57.140.27 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
> 4.26.149.200 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 221.140.52.138 TCP 113 permit: 70 hits, 31 uniques, 30 src ports
> 211.178.27.154 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
> 220.88.180.119 TCP 113 permit: 80 hits, 38 uniques, 35 src ports
> 221.138.127.115 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 218.62.20.14 TCP 113 permit: 96 hits, 44 uniques, 43 src ports
> 204.42.9.91 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 219.251.95.88 TCP 113 permit: 80 hits, 38 uniques, 38 src ports
> 211.59.186.131 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 220.91.4.177 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 63.241.218.92 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 220.117.17.12 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
> 61.255.37.179 TCP 113 permit: 76 hits, 35 uniques, 35 src ports
> 65.94.185.245 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 220.137.100.222 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 211.209.66.238 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 218.62.8.78 TCP 113 permit: 66 hits, 31 uniques, 30 src ports
> 220.117.223.246 TCP 113 permit: 50 hits, 25 uniques, 24 src ports
> 69.158.164.233 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
> 61.252.248.27 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
> 219.254.31.149 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 218.164.97.25 TCP 113 permit: 68 hits, 34 uniques, 34 src ports
> 211.212.118.238 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 65.168.30.15 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> 4.46.136.17 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 218.38.62.233 TCP 113 permit: 82 hits, 41 uniques, 41 src ports
> 218.172.136.130 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
> 61.248.143.182 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 81.49.189.43 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
> 218.238.183.224 TCP 113 permit: 46 hits, 22 uniques, 21 src ports
> 211.236.206.145 TCP 113 permit: 60 hits, 29 uniques, 29 src ports
> 221.138.217.94 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> 211.201.232.229 TCP 113 permit: 62 hits, 31 uniques, 31 src ports
> 69.158.136.208 TCP 113 permit: 64 hits, 32 uniques, 31 src ports
> 24.153.217.37 TCP 113 permit: 78 hits, 38 uniques, 38 src ports
> 211.206.106.55 TCP 113 permit: 84 hits, 42 uniques, 41 src ports
> 211.206.48.103 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> 61.80.177.209 TCP 113 permit: 70 hits, 35 uniques, 35 src ports
> 4.46.125.203 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> 219.255.18.34 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> 69.158.78.141 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
> 4.14.131.47 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 61.98.6.106 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
> 219.240.24.254 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
> 219.241.86.107 TCP 113 permit: 60 hits, 29 uniques, 28 src ports
> 211.207.73.131 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 218.39.234.82 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
> 218.90.187.7 TCP 113 permit: 54 hits, 24 uniques, 24 src ports
> 210.218.154.47 TCP 113 permit: 68 hits, 31 uniques, 31 src ports
> 209.76.255.250 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
> 128.91.92.116 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> 140.129.75.65 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
> 81.195.72.98 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> 61.138.179.30 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
> 61.98.125.151 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 61.255.16.76 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
> 211.243.93.223 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
> 211.204.200.86 TCP 113 permit: 84 hits, 41 uniques, 41 src ports
> 61.10.148.173 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
> 221.142.2.169 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> 61.83.248.37 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
> 64.229.28.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 64.231.66.14 TCP 113 permit: 66 hits, 32 uniques, 32 src ports
> 211.187.21.160 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
> 211.210.233.213 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> 219.254.63.114 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 61.231.116.23 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 221.138.195.79 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 221.140.70.150 TCP 113 permit: 70 hits, 35 uniques, 34 src ports
> 211.216.211.249 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> 211.49.151.179 TCP 113 permit: 74 hits, 36 uniques, 35 src ports
> 210.217.161.202 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 211.179.215.5 TCP 113 permit: 64 hits, 30 uniques, 28 src ports
> 211.197.71.157 TCP 113 permit: 62 hits, 30 uniques, 30 src ports
> 64.230.131.155 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
> 84.97.129.246 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
> 211.201.227.75 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 211.190.145.155 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 218.50.110.14 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> 219.255.5.106 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 67.71.107.80 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> 219.250.221.211 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
> 69.156.112.20 TCP 113 permit: 46 hits, 23 uniques, 23 src ports
> 81.202.4.106 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> 166.91.254.254 TCP 113 permit: 214 hits, 104 uniques, 104 src ports
> 61.98.1.48 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 219.241.129.99 TCP 113 permit: 62 hits, 29 uniques, 29 src ports
> 61.253.69.42 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
> 218.162.97.245 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 
> 
> -- 
> Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
> glratt at io.com                        http://www.io.com/~glratt  
> There are imaginary bugs to chase in heaven.
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list