[unisog] mysql bot

Russell Fulton r.fulton at auckland.ac.nz
Fri Jan 28 00:34:18 GMT 2005

On Thu, 2005-01-27 at 14:35 -0800, Peter Van Epp wrote:
> 	My partner in crime read of a mysqlbot (from http://isc.sans.org) 
> this morning on slashdot. We look to be seeing an increase in port 3306 scans 
> in the last couple of days (from about 150 K per day a week ago to ~180k for 
> yesterday).  So far none of ours scanning out, but it may be worth keeping 
> an eye out for this.

We saw a massive peak yesterday 133K probes in an hour (1200-1300 local
-- 2300-0000 26 Jan UTC) it then dropped back to a (elevated) background
of about 5K probes per hour.  If I go back a week the back ground level
drops to less than 10 per hour.

Here are the top sources for the hour where we save the big spike:
total sources 104    64716    62929 187   166   163    163 156  155    155    152   143    143    135     129 125    115

Both the big scans went through our /16 in under a minute! Addresses
probed in random order, they missed a few (packet loss??).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050128/f2b6ebfa/smime-0002.bin

More information about the unisog mailing list