[unisog] Previous Thread on Increased Probes

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Jul 23 18:19:21 GMT 2004


Peter, this traffic is targeted at the telnet port.

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Peter Van Epp
Sent: Friday, July 23, 2004 11:15 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Previous Thread on Increased Probes

	My bet would be this is spam zombie control traffic or scans for

zombies. A number of the infected machines here have been accessed at
odd 
hours for about an hour to spam via skybot or beagle (don't keep up on
these
silly PC viruses, just whack them ...). As a result argus is looking for
our
IPs emailing more than 100 hosts in any given hour and flags them for
whacking.
In many cases the apparant control channel for the spam is port 113. A
couple
of hours before a Russian site probes 113 on the host once, and a few
hours
later someone else from somewhere else connects and spams for 20 to 40
minutes
and then departs. I'm assuming the Russian site is selling the IP of the

infected host to the spammer (but content my self with whacking our
infected
host). I believe this has mostly been identified as skybot but the names
seem
to change depending on what AV package the user is using (the
ubiquitious 
"none previously" having the most market share). There is another common

control port but I don't off the top remember what it is (perhaps 1026).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Fri, Jul 23, 2004 at 12:45:57PM -0500, Glenn Forbes Fleming Larratt
wrote:
> We have noted huge volumes of identd traffic - a  summary report
> covering a period of 30 minutes is appended below.
> 
> You can imagine how frustrating it is to me that my management won't
> even discuss a response, and appear content to just let it happen.
> 
> 	-g
> 
> On Fri, 23 Jul 2004, Lois Lehman wrote:
> 
> > Sorry to bring this up again but a colleague at another university
has
> > asked me if anyone has seen a recent flood of attacks on their
address
> > space similar to what he experienced a couple of weeks ago.  I
remember
> > there was some talk, maybe on this list, about seeing incoming
packets
> > from many sources with numbers near a thousand.  But in cleaning out
my
> > Inbox after a vacation, I must have deleted that information.
> > 
> > Here is a sample of some of the traffic from one source found in his
> > logs:
> > 
> > Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list
120
> > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > 
> > 
> > Is this what others were seeing, an attack on port 23?  Has anyone
> > determined the purpose of this flood?
> > 
> > Thanks!
> > 
> > Lois Lehman
> > College Network Security Manager
> > Physical Sciences Computer Support Manager
> > College of Liberal Arts & Sciences
> > Arizona State University
> > 480-965-3139
> > 
> > 
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> > 
> Date: Fri, 23 Jul 2004 11:35:53 -0500 (CDT)
> From: 
> To: 
> Subject: (snort attack watch): summary report
> 
> 
> Since Jul 23 11:06:28 :
> 
>  notifications:
> 61.110.247.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 211.172.57.99 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
> 201.254.148.62 TCP 113 permit: 50 hits, 22 uniques, 22 src ports
> 61.155.84.29 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 219.255.68.172 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 221.138.9.164 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 65.95.254.138 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 61.105.254.32 TCP 113 permit: 64 hits, 32 uniques, 32 src ports
> 65.92.156.111 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
> 210.219.180.100 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 61.75.136.99 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
> 211.213.125.183 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
> 210.122.224.83 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> 221.146.109.184 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> 64.230.172.167 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> 211.209.62.164 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> 211.204.130.185 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 61.98.91.43 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
> 65.95.127.216 TCP 113 permit: 54 hits, 27 uniques, 27 src ports
> 211.224.17.202 TCP 113 permit: 80 hits, 39 uniques, 39 src ports
> 81.202.83.33 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 61.254.135.218 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
> 211.190.175.3 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 221.162.127.245 TCP 113 permit: 86 hits, 41 uniques, 41 src ports
> 65.220.125.76 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> 61.111.239.218 TCP 113 permit: 84 hits, 39 uniques, 39 src ports
> 64.229.30.125 TCP 113 permit: 68 hits, 34 uniques, 33 src ports
> 69.156.96.106 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
> 201.254.148.63 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 220.86.11.202 TCP 113 permit: 52 hits, 22 uniques, 22 src ports
> 65.94.41.121 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> 218.50.48.213 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 24.100.182.172 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> 67.70.112.119 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 211.211.41.70 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
> 219.241.200.50 TCP 113 permit: 74 hits, 34 uniques, 34 src ports
> 211.212.199.250 TCP 113 permit: 70 hits, 31 uniques, 31 src ports
> 65.78.21.3 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> 211.212.60.199 TCP 113 permit: 70 hits, 33 uniques, 33 src ports
> 69.158.14.114 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
> 210.114.243.5 TCP 113 permit: 54 hits, 26 uniques, 25 src ports
> 65.95.1.67 TCP 113 permit: 70 hits, 33 uniques, 32 src ports
> 222.232.159.199 TCP 113 permit: 64 hits, 30 uniques, 30 src ports
> 67.52.51.206 TCP 113 permit: 70 hits, 32 uniques, 32 src ports
> 69.158.166.104 TCP 113 permit: 70 hits, 34 uniques, 34 src ports
> 211.49.135.28 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
> 218.69.61.239 TCP 113 permit: 48 hits, 24 uniques, 23 src ports
> 4.26.253.85 TCP 113 permit: 42 hits, 21 uniques, 20 src ports
> 64.229.148.21 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
> 221.152.77.68 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
> 211.178.247.87 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 218.158.136.153 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> 210.205.183.141 TCP 113 permit: 74 hits, 37 uniques, 37 src ports
> 211.236.217.17 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> 218.237.92.203 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
> 211.200.86.113 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 211.49.209.182 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> 216.57.140.27 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
> 4.26.149.200 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 221.140.52.138 TCP 113 permit: 70 hits, 31 uniques, 30 src ports
> 211.178.27.154 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
> 220.88.180.119 TCP 113 permit: 80 hits, 38 uniques, 35 src ports
> 221.138.127.115 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 218.62.20.14 TCP 113 permit: 96 hits, 44 uniques, 43 src ports
> 204.42.9.91 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 219.251.95.88 TCP 113 permit: 80 hits, 38 uniques, 38 src ports
> 211.59.186.131 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 220.91.4.177 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 63.241.218.92 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 220.117.17.12 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
> 61.255.37.179 TCP 113 permit: 76 hits, 35 uniques, 35 src ports
> 65.94.185.245 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 220.137.100.222 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 211.209.66.238 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 218.62.8.78 TCP 113 permit: 66 hits, 31 uniques, 30 src ports
> 220.117.223.246 TCP 113 permit: 50 hits, 25 uniques, 24 src ports
> 69.158.164.233 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
> 61.252.248.27 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
> 219.254.31.149 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 218.164.97.25 TCP 113 permit: 68 hits, 34 uniques, 34 src ports
> 211.212.118.238 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 65.168.30.15 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> 4.46.136.17 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 218.38.62.233 TCP 113 permit: 82 hits, 41 uniques, 41 src ports
> 218.172.136.130 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
> 61.248.143.182 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 81.49.189.43 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
> 218.238.183.224 TCP 113 permit: 46 hits, 22 uniques, 21 src ports
> 211.236.206.145 TCP 113 permit: 60 hits, 29 uniques, 29 src ports
> 221.138.217.94 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> 211.201.232.229 TCP 113 permit: 62 hits, 31 uniques, 31 src ports
> 69.158.136.208 TCP 113 permit: 64 hits, 32 uniques, 31 src ports
> 24.153.217.37 TCP 113 permit: 78 hits, 38 uniques, 38 src ports
> 211.206.106.55 TCP 113 permit: 84 hits, 42 uniques, 41 src ports
> 211.206.48.103 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> 61.80.177.209 TCP 113 permit: 70 hits, 35 uniques, 35 src ports
> 4.46.125.203 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> 219.255.18.34 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> 69.158.78.141 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
> 4.14.131.47 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 61.98.6.106 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
> 219.240.24.254 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
> 219.241.86.107 TCP 113 permit: 60 hits, 29 uniques, 28 src ports
> 211.207.73.131 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 218.39.234.82 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
> 218.90.187.7 TCP 113 permit: 54 hits, 24 uniques, 24 src ports
> 210.218.154.47 TCP 113 permit: 68 hits, 31 uniques, 31 src ports
> 209.76.255.250 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
> 128.91.92.116 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> 140.129.75.65 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
> 81.195.72.98 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> 61.138.179.30 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
> 61.98.125.151 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 61.255.16.76 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
> 211.243.93.223 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
> 211.204.200.86 TCP 113 permit: 84 hits, 41 uniques, 41 src ports
> 61.10.148.173 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
> 221.142.2.169 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> 61.83.248.37 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
> 64.229.28.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> 64.231.66.14 TCP 113 permit: 66 hits, 32 uniques, 32 src ports
> 211.187.21.160 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
> 211.210.233.213 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> 219.254.63.114 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> 61.231.116.23 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 221.138.195.79 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 221.140.70.150 TCP 113 permit: 70 hits, 35 uniques, 34 src ports
> 211.216.211.249 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> 211.49.151.179 TCP 113 permit: 74 hits, 36 uniques, 35 src ports
> 210.217.161.202 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> 211.179.215.5 TCP 113 permit: 64 hits, 30 uniques, 28 src ports
> 211.197.71.157 TCP 113 permit: 62 hits, 30 uniques, 30 src ports
> 64.230.131.155 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
> 84.97.129.246 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
> 211.201.227.75 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 211.190.145.155 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> 218.50.110.14 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> 219.255.5.106 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> 67.71.107.80 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> 219.250.221.211 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
> 69.156.112.20 TCP 113 permit: 46 hits, 23 uniques, 23 src ports
> 81.202.4.106 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> 166.91.254.254 TCP 113 permit: 214 hits, 104 uniques, 104 src ports
> 61.98.1.48 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> 219.241.129.99 TCP 113 permit: 62 hits, 29 uniques, 29 src ports
> 61.253.69.42 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
> 218.162.97.245 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> 
> 
> -- 
> Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
> glratt at io.com                        http://www.io.com/~glratt  
> There are imaginary bugs to chase in heaven.
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list