[unisog] mysql bot

Russell Fulton r.fulton at auckland.ac.nz
Fri Jan 28 00:34:18 GMT 2005


On Thu, 2005-01-27 at 14:35 -0800, Peter Van Epp wrote:
> 	My partner in crime read of a mysqlbot (from http://isc.sans.org) 
> this morning on slashdot. We look to be seeing an increase in port 3306 scans 
> in the last couple of days (from about 150 K per day a week ago to ~180k for 
> yesterday).  So far none of ours scanning out, but it may be worth keeping 
> an eye out for this.

We saw a massive peak yesterday 133K probes in an hour (1200-1300 local
-- 2300-0000 26 Jan UTC) it then dropped back to a (elevated) background
of about 5K probes per hour.  If I go back a week the back ground level
drops to less than 10 per hour.

Here are the top sources for the hour where we save the big spike:
total sources 104

82.165.36.96    64716
70.84.85.202    62929
193.158.190.233 187
68.190.21.119   166
218.87.169.77   163
81.94.84.210    163
212.166.177.198 156
85.224.160.171  155
218.3.61.243    155
201.14.147.8    152
130.79.154.95   143
148.223.4.87    143
200.93.56.58    135
219.93.1.13     129
200.114.142.254 125
61.90.83.188    115
....

Both the big scans went through our /16 in under a minute! Addresses
probed in random order, they missed a few (packet loss??).

Russell.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050128/f2b6ebfa/smime-0002.bin


More information about the unisog mailing list