RE: [SLUG] regular scan patterns from RR/TimeWarner

From: wchast@utilpart.com
Date: Sat Nov 23 2002 - 10:15:12 EST


I wonder what is a quick and greasy way to make
a "honeypot" to see what you can get out of these
turkeys?
I was just looking at mine and almost all of them
are 137, there are a few 80's and there was one
to port 40378.

Be fun to mess with their brain (if they have one)

> -----Original Message-----
> From: Smitty [mailto:a.smitty@verizon.net]
> Sent: Friday, November 22, 2002 02:43 PM
> To: slug@nks.net
> Subject: Re: [SLUG] regular scan patterns from RR/TimeWarner
>
>
> On Friday 22 November 2002 13:11, you wrote:
> > Re: scanning by RR in their own address space
> >
> > I made a written note to myself, in my IDS at home I logged the
> > following: (times EST, NTP synch'd)
> >
> > 6 Nov 05:00:39 from 24.30.199.228 attempt to port 1080 socks
> > 6 Nov 05:18:51 from 24.30.199.228 attempt to port 3128 squid
> > 6 Nov 06:31:39 from 24.30.199.228 attempt to port 8080 proxy
> >
> > I am in the 24.94.x.x. space. This source address, above,
> is the same as
> > that described below, rev lookup to the same name.
> >
> > I get many other attempts at home from various 24.x.x.x
> addresses to port
> > 80,
> > less so to 445. By far the most attempts from _any_ source
> address, are to
> > port 137,
> > trying to resolve netbios name "CKAAAAA..." (this is just
> * followed by
> > nulls).
> > Many are coming from Poland now.
>
> Ya, the most common scan is for 137. Lot of nice ms exploit
> possibilities from
> there.
> >
> > I am also getting several attempts a day from 24.94.39.9 looking for
> > several ports including 12345 and 27374, the subseven and
> netbus ports.
> > I suspect it is a trojanized machine. It is near Rochester NY in the
> > southern
> > tier of NY, his workgroup is Capecci Wines/Tony Capecci but
> not findable in
> > Google.
> > Wonder how long it will take RR to discover this. ??
> (...stny.rr.com)
>
> It is a zombie machine and Capecci may even have indication
> that it is and not
> want to do anything about it.
> >
> > I see as many as 15 to 20 different IPs most every day
> trying any of a
> > dozen different
> > ports. Again that's just at home. One that has really
> dropped off is port
> > 111 the
> > RPC portmapper port. Guess the haker3 have decided that no
> one on home
> > connections runs unix. Ha.
>
> Just for the heck of it, I following my iptables logs one
> evening and pinged
> every host who scanned my box. Then did traceroutes on them.
> The activity
> actually abated a bit after doing this.
> >
> > Bob Foxworth
> >
>

*****************************************************************
This e-mail and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom it is
addressed. If you have received this transmission in error, please notify
the sender immediately and destroy any hard copies you may have printed and
remove all copies of the e-mail from your hard drive. Opinions, conclusions
and other information in this message that do not relate to the official
business of Utility Partners, Inc shall be understood as neither given nor
endorsed by it.

Visit us on the web at http://www.utilpart.com
*****************************************************************



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:08:22 EDT