[unisog] Previous Thread on Increased Probes

Glenn Forbes Fleming Larratt glratt at io.com
Fri Jul 23 18:36:31 GMT 2004


...and, while we have identd open inbound across our border, we too 
whack attempts to send SMTP outbound in quantity, and in fact deny
such access to much or our network - and we have seen no coresponding
increase in the latter. 

	-g

On Fri, 23 Jul 2004, Lois Lehman wrote:

> Peter, this traffic is targeted at the telnet port.
> 
> Lois Lehman
> College Network Security Manager
> Physical Sciences Computer Support Manager
> College of Liberal Arts & Sciences
> Arizona State University
> 480-965-3139
> 
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Peter Van Epp
> Sent: Friday, July 23, 2004 11:15 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Previous Thread on Increased Probes
> 
> 	My bet would be this is spam zombie control traffic or scans for
> 
> zombies. A number of the infected machines here have been accessed at
> odd 
> hours for about an hour to spam via skybot or beagle (don't keep up on
> these
> silly PC viruses, just whack them ...). As a result argus is looking for
> our
> IPs emailing more than 100 hosts in any given hour and flags them for
> whacking.
> In many cases the apparant control channel for the spam is port 113. A
> couple
> of hours before a Russian site probes 113 on the host once, and a few
> hours
> later someone else from somewhere else connects and spams for 20 to 40
> minutes
> and then departs. I'm assuming the Russian site is selling the IP of the
> 
> infected host to the spammer (but content my self with whacking our
> infected
> host). I believe this has mostly been identified as skybot but the names
> seem
> to change depending on what AV package the user is using (the
> ubiquitious 
> "none previously" having the most market share). There is another common
> 
> control port but I don't off the top remember what it is (perhaps 1026).
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> On Fri, Jul 23, 2004 at 12:45:57PM -0500, Glenn Forbes Fleming Larratt
> wrote:
> > We have noted huge volumes of identd traffic - a  summary report
> > covering a period of 30 minutes is appended below.
> > 
> > You can imagine how frustrating it is to me that my management won't
> > even discuss a response, and appear content to just let it happen.
> > 
> > 	-g
> > 
> > On Fri, 23 Jul 2004, Lois Lehman wrote:
> > 
> > > Sorry to bring this up again but a colleague at another university
> has
> > > asked me if anyone has seen a recent flood of attacks on their
> address
> > > space similar to what he experienced a couple of weeks ago.  I
> remember
> > > there was some talk, maybe on this list, about seeing incoming
> packets
> > > from many sources with numbers near a thousand.  But in cleaning out
> my
> > > Inbox after a vacation, I must have deleted that information.
> > > 
> > > Here is a sample of some of the traffic from one source found in his
> > > logs:
> > > 
> > > Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > > Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > > Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> > > Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list
> 120
> > > permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> > > 
> > > 
> > > Is this what others were seeing, an attack on port 23?  Has anyone
> > > determined the purpose of this flood?
> > > 
> > > Thanks!
> > > 
> > > Lois Lehman
> > > College Network Security Manager
> > > Physical Sciences Computer Support Manager
> > > College of Liberal Arts & Sciences
> > > Arizona State University
> > > 480-965-3139
> > > 
> > > 
> > > _______________________________________________
> > > unisog mailing list
> > > unisog at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/unisog
> > > 
> > Date: Fri, 23 Jul 2004 11:35:53 -0500 (CDT)
> > From: 
> > To: 
> > Subject: (snort attack watch): summary report
> > 
> > 
> > Since Jul 23 11:06:28 :
> > 
> >  notifications:
> > 61.110.247.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 211.172.57.99 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
> > 201.254.148.62 TCP 113 permit: 50 hits, 22 uniques, 22 src ports
> > 61.155.84.29 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 219.255.68.172 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 221.138.9.164 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> > 65.95.254.138 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> > 61.105.254.32 TCP 113 permit: 64 hits, 32 uniques, 32 src ports
> > 65.92.156.111 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
> > 210.219.180.100 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 61.75.136.99 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
> > 211.213.125.183 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
> > 210.122.224.83 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> > 221.146.109.184 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> > 64.230.172.167 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> > 211.209.62.164 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> > 211.204.130.185 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> > 61.98.91.43 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
> > 65.95.127.216 TCP 113 permit: 54 hits, 27 uniques, 27 src ports
> > 211.224.17.202 TCP 113 permit: 80 hits, 39 uniques, 39 src ports
> > 81.202.83.33 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> > 61.254.135.218 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
> > 211.190.175.3 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 221.162.127.245 TCP 113 permit: 86 hits, 41 uniques, 41 src ports
> > 65.220.125.76 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> > 61.111.239.218 TCP 113 permit: 84 hits, 39 uniques, 39 src ports
> > 64.229.30.125 TCP 113 permit: 68 hits, 34 uniques, 33 src ports
> > 69.156.96.106 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
> > 201.254.148.63 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> > 220.86.11.202 TCP 113 permit: 52 hits, 22 uniques, 22 src ports
> > 65.94.41.121 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> > 218.50.48.213 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> > 24.100.182.172 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> > 67.70.112.119 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> > 211.211.41.70 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
> > 219.241.200.50 TCP 113 permit: 74 hits, 34 uniques, 34 src ports
> > 211.212.199.250 TCP 113 permit: 70 hits, 31 uniques, 31 src ports
> > 65.78.21.3 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> > 211.212.60.199 TCP 113 permit: 70 hits, 33 uniques, 33 src ports
> > 69.158.14.114 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
> > 210.114.243.5 TCP 113 permit: 54 hits, 26 uniques, 25 src ports
> > 65.95.1.67 TCP 113 permit: 70 hits, 33 uniques, 32 src ports
> > 222.232.159.199 TCP 113 permit: 64 hits, 30 uniques, 30 src ports
> > 67.52.51.206 TCP 113 permit: 70 hits, 32 uniques, 32 src ports
> > 69.158.166.104 TCP 113 permit: 70 hits, 34 uniques, 34 src ports
> > 211.49.135.28 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
> > 218.69.61.239 TCP 113 permit: 48 hits, 24 uniques, 23 src ports
> > 4.26.253.85 TCP 113 permit: 42 hits, 21 uniques, 20 src ports
> > 64.229.148.21 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
> > 221.152.77.68 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
> > 211.178.247.87 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 218.158.136.153 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> > 210.205.183.141 TCP 113 permit: 74 hits, 37 uniques, 37 src ports
> > 211.236.217.17 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> > 218.237.92.203 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
> > 211.200.86.113 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 211.49.209.182 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> > 216.57.140.27 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
> > 4.26.149.200 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> > 221.140.52.138 TCP 113 permit: 70 hits, 31 uniques, 30 src ports
> > 211.178.27.154 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
> > 220.88.180.119 TCP 113 permit: 80 hits, 38 uniques, 35 src ports
> > 221.138.127.115 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 218.62.20.14 TCP 113 permit: 96 hits, 44 uniques, 43 src ports
> > 204.42.9.91 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 219.251.95.88 TCP 113 permit: 80 hits, 38 uniques, 38 src ports
> > 211.59.186.131 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 220.91.4.177 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 63.241.218.92 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> > 220.117.17.12 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
> > 61.255.37.179 TCP 113 permit: 76 hits, 35 uniques, 35 src ports
> > 65.94.185.245 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 220.137.100.222 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> > 211.209.66.238 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 218.62.8.78 TCP 113 permit: 66 hits, 31 uniques, 30 src ports
> > 220.117.223.246 TCP 113 permit: 50 hits, 25 uniques, 24 src ports
> > 69.158.164.233 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
> > 61.252.248.27 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
> > 219.254.31.149 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> > 218.164.97.25 TCP 113 permit: 68 hits, 34 uniques, 34 src ports
> > 211.212.118.238 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> > 65.168.30.15 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> > 4.46.136.17 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> > 218.38.62.233 TCP 113 permit: 82 hits, 41 uniques, 41 src ports
> > 218.172.136.130 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
> > 61.248.143.182 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 81.49.189.43 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
> > 218.238.183.224 TCP 113 permit: 46 hits, 22 uniques, 21 src ports
> > 211.236.206.145 TCP 113 permit: 60 hits, 29 uniques, 29 src ports
> > 221.138.217.94 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> > 211.201.232.229 TCP 113 permit: 62 hits, 31 uniques, 31 src ports
> > 69.158.136.208 TCP 113 permit: 64 hits, 32 uniques, 31 src ports
> > 24.153.217.37 TCP 113 permit: 78 hits, 38 uniques, 38 src ports
> > 211.206.106.55 TCP 113 permit: 84 hits, 42 uniques, 41 src ports
> > 211.206.48.103 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> > 61.80.177.209 TCP 113 permit: 70 hits, 35 uniques, 35 src ports
> > 4.46.125.203 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
> > 219.255.18.34 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> > 69.158.78.141 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
> > 4.14.131.47 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> > 61.98.6.106 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
> > 219.240.24.254 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
> > 219.241.86.107 TCP 113 permit: 60 hits, 29 uniques, 28 src ports
> > 211.207.73.131 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 218.39.234.82 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
> > 218.90.187.7 TCP 113 permit: 54 hits, 24 uniques, 24 src ports
> > 210.218.154.47 TCP 113 permit: 68 hits, 31 uniques, 31 src ports
> > 209.76.255.250 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
> > 128.91.92.116 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
> > 140.129.75.65 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
> > 81.195.72.98 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
> > 61.138.179.30 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
> > 61.98.125.151 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> > 61.255.16.76 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
> > 211.243.93.223 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
> > 211.204.200.86 TCP 113 permit: 84 hits, 41 uniques, 41 src ports
> > 61.10.148.173 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
> > 221.142.2.169 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
> > 61.83.248.37 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
> > 64.229.28.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
> > 64.231.66.14 TCP 113 permit: 66 hits, 32 uniques, 32 src ports
> > 211.187.21.160 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
> > 211.210.233.213 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
> > 219.254.63.114 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
> > 61.231.116.23 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> > 221.138.195.79 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> > 221.140.70.150 TCP 113 permit: 70 hits, 35 uniques, 34 src ports
> > 211.216.211.249 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> > 211.49.151.179 TCP 113 permit: 74 hits, 36 uniques, 35 src ports
> > 210.217.161.202 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
> > 211.179.215.5 TCP 113 permit: 64 hits, 30 uniques, 28 src ports
> > 211.197.71.157 TCP 113 permit: 62 hits, 30 uniques, 30 src ports
> > 64.230.131.155 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
> > 84.97.129.246 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
> > 211.201.227.75 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> > 211.190.145.155 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
> > 218.50.110.14 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
> > 219.255.5.106 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
> > 67.71.107.80 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
> > 219.250.221.211 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
> > 69.156.112.20 TCP 113 permit: 46 hits, 23 uniques, 23 src ports
> > 81.202.4.106 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
> > 166.91.254.254 TCP 113 permit: 214 hits, 104 uniques, 104 src ports
> > 61.98.1.48 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
> > 219.241.129.99 TCP 113 permit: 62 hits, 29 uniques, 29 src ports
> > 61.253.69.42 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
> > 218.162.97.245 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
> > 
> > 
> > -- 
> > Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
> > glratt at io.com                        http://www.io.com/~glratt  
> > There are imaginary bugs to chase in heaven.
> > 
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at io.com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.




More information about the unisog mailing list