Re: [SLUG] regular scan patterns from RR/TimeWarner

From: Jim Grant (jbgrant01@hotmail.com)
Date: Sat Nov 23 2002 - 10:49:51 EST


Check out www.honeynet.org/papers/honeynet

These are the guys who know how to do this stuff and do it well.
----- Original Message -----
From: <wchast@utilpart.com>
To: <slug@nks.net>
Sent: Saturday, November 23, 2002 10:15 AM
Subject: RE: [SLUG] regular scan patterns from RR/TimeWarner

> I wonder what is a quick and greasy way to make
> a "honeypot" to see what you can get out of these
> turkeys?
> I was just looking at mine and almost all of them
> are 137, there are a few 80's and there was one
> to port 40378.
>
> Be fun to mess with their brain (if they have one)
>
>
> > -----Original Message-----
> > From: Smitty [mailto:a.smitty@verizon.net]
> > Sent: Friday, November 22, 2002 02:43 PM
> > To: slug@nks.net
> > Subject: Re: [SLUG] regular scan patterns from RR/TimeWarner
> >
> >
> > On Friday 22 November 2002 13:11, you wrote:
> > > Re: scanning by RR in their own address space
> > >
> > > I made a written note to myself, in my IDS at home I logged the
> > > following: (times EST, NTP synch'd)
> > >
> > > 6 Nov 05:00:39 from 24.30.199.228 attempt to port 1080 socks
> > > 6 Nov 05:18:51 from 24.30.199.228 attempt to port 3128 squid
> > > 6 Nov 06:31:39 from 24.30.199.228 attempt to port 8080 proxy
> > >
> > > I am in the 24.94.x.x. space. This source address, above,
> > is the same as
> > > that described below, rev lookup to the same name.
> > >
> > > I get many other attempts at home from various 24.x.x.x
> > addresses to port
> > > 80,
> > > less so to 445. By far the most attempts from _any_ source
> > address, are to
> > > port 137,
> > > trying to resolve netbios name "CKAAAAA..." (this is just
> > * followed by
> > > nulls).
> > > Many are coming from Poland now.
> >
> > Ya, the most common scan is for 137. Lot of nice ms exploit
> > possibilities from
> > there.
> > >
> > > I am also getting several attempts a day from 24.94.39.9 looking for
> > > several ports including 12345 and 27374, the subseven and
> > netbus ports.
> > > I suspect it is a trojanized machine. It is near Rochester NY in the
> > > southern
> > > tier of NY, his workgroup is Capecci Wines/Tony Capecci but
> > not findable in
> > > Google.
> > > Wonder how long it will take RR to discover this. ??
> > (...stny.rr.com)
> >
> > It is a zombie machine and Capecci may even have indication
> > that it is and not
> > want to do anything about it.
> > >
> > > I see as many as 15 to 20 different IPs most every day
> > trying any of a
> > > dozen different
> > > ports. Again that's just at home. One that has really
> > dropped off is port
> > > 111 the
> > > RPC portmapper port. Guess the haker3 have decided that no
> > one on home
> > > connections runs unix. Ha.
> >
> > Just for the heck of it, I following my iptables logs one
> > evening and pinged
> > every host who scanned my box. Then did traceroutes on them.
> > The activity
> > actually abated a bit after doing this.
> > >
> > > Bob Foxworth
> > >
> >
>
>
> *****************************************************************
> This e-mail and any files transmitted with it are confidential and are
> intended solely for the use of the individual or entity to whom it is
> addressed. If you have received this transmission in error, please notify
> the sender immediately and destroy any hard copies you may have printed
and
> remove all copies of the e-mail from your hard drive. Opinions,
conclusions
> and other information in this message that do not relate to the official
> business of Utility Partners, Inc shall be understood as neither given nor
> endorsed by it.
>
> Visit us on the web at http://www.utilpart.com
> *****************************************************************
>



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:08:34 EDT