[SLUG] regular scan patterns from RR/TimeWarner

• Next message: Mikes work account: "RE: [SLUG] firewall stop please"
• Previous message: Logan Tygart: "RE: [SLUG] firewall stop please"
• In reply to: Ian C. Blenke: "Re: [SLUG] Does this open relay test look reasonable?"
• Next in thread: Smitty: "Re: [SLUG] regular scan patterns from RR/TimeWarner"
• Reply: Smitty: "Re: [SLUG] regular scan patterns from RR/TimeWarner"
• Maybe reply: wchast@utilpart.com: "RE: [SLUG] regular scan patterns from RR/TimeWarner"
• Maybe reply: wchast@utilpart.com: "RE: [SLUG] regular scan patterns from RR/TimeWarner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Re: scanning by RR in their own address space

I made a written note to myself, in my IDS at home I logged the
following: (times EST, NTP synch'd)

6 Nov 05:00:39 from 24.30.199.228 attempt to port 1080 socks
6 Nov 05:18:51 from 24.30.199.228 attempt to port 3128 squid
6 Nov 06:31:39 from 24.30.199.228 attempt to port 8080 proxy

I am in the 24.94.x.x. space. This source address, above, is the same as
that described below, rev lookup to the same name.

I get many other attempts at home from various 24.x.x.x addresses to port
80,
less so to 445. By far the most attempts from _any_ source address, are to
port 137,
trying to resolve netbios name "CKAAAAA..." (this is just * followed by
nulls).
Many are coming from Poland now.

I am also getting several attempts a day from 24.94.39.9 looking for several
ports including 12345 and 27374, the subseven and netbus ports.
I suspect it is a trojanized machine. It is near Rochester NY in the
southern
tier of NY, his workgroup is Capecci Wines/Tony Capecci but not findable in
Google.
Wonder how long it will take RR to discover this. ?? (...stny.rr.com)

I see as many as 15 to 20 different IPs most every day trying any of a dozen
different
ports. Again that's just at home. One that has really dropped off is port
111 the
RPC portmapper port. Guess the haker3 have decided that no one on home
connections runs unix. Ha.

Bob Foxworth

----- Original Message -----
From: "Ian C. Blenke" <icblenke@nks.net>
To: <slug@nks.net>; "Greg Schmidt" <slugmail@gschmidt.net>
Sent: Friday, November 22, 2002 10:01
Subject: Re: [SLUG] Does this open relay test look reasonable?

> They also do open HTTP proxy scans.
>
> Anyone notice other regular scan patterns from RR/TimeWarner management
nodes?
>
> - Ian
>
> On Friday 22 November 2002 06:29, Greg Schmidt wrote:
> > RoadRunner hits my server with this open relay test. It looks
extensive,
> > but I'm not sure what all of these tests are checking. Other places
have
> > much shorter tests.
>
 (snip, etc.)

> > Subject: Postfix SMTP server: errors from
> > securityscan.sec.rr.com[24.30.199.228]

• Next message: Mikes work account: "RE: [SLUG] firewall stop please"
• Previous message: Logan Tygart: "RE: [SLUG] firewall stop please"
• In reply to: Ian C. Blenke: "Re: [SLUG] Does this open relay test look reasonable?"
• Next in thread: Smitty: "Re: [SLUG] regular scan patterns from RR/TimeWarner"
• Reply: Smitty: "Re: [SLUG] regular scan patterns from RR/TimeWarner"
• Maybe reply: wchast@utilpart.com: "RE: [SLUG] regular scan patterns from RR/TimeWarner"
• Maybe reply: wchast@utilpart.com: "RE: [SLUG] regular scan patterns from RR/TimeWarner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:06:39 EDT