Re: [fw-wiz] Odd scan to port 36867

From: JERRY MURTLAND (jmurtlan_at_insight.rr.com)
Date: 11/24/04

  • Next message: Ralema Geno: "[fw-wiz] Help- Nat-t" 
    To: "Ben Nagy" <ben@iagu.net>, "'SiegeX'" <siegex@atozcomp.com>
Date: Tue, 23 Nov 2004 23:13:07 -0500

    Lots of scans coming from home dsl users out of Canada lately. I've noticed
    a peak from there on my honeyp-t. Can't be biased though, they do come from
    everywhere...

    Jerry Murtland
    ----- Original Message -----
    From: "Ben Nagy" <ben@iagu.net>
    To: "'SiegeX'" <siegex@atozcomp.com>
    Cc: <firewall-wizards@honor.icsalabs.com>
    Sent: Tuesday, November 16, 2004 4:29 AM
    Subject: RE: [fw-wiz] Odd scan to port 36867

    > Could be malware activity, or someone scanning for backdoors / botnets.
    > None
    > of the current big name malware uses that port by default AFAIK, but I
    > guess
    > there could be variants.
    >
    > Personally, I'd be interested in seeing more of the logs - there might be
    > patterns in the source port, IPID etc which often indicate that it's
    > malware
    > generated. You can send those through to me direct if you don't want to
    > bore
    > the list.
    >
    > The TTL is 103 - that means it's odds on that this traffic came from a
    > Windows system. Default TTL is 64 on most of the unix / linux variants (it
    > could be VMS, but there are too many unique sources!). If your logs show
    > other packets with TTL 0<ttl<64 then it's almost certainly scanning
    > activity
    > not malware, since it's cross platform.
    >
    > rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe
    > seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
    > German.
    >
    > SANS Dshield is dead right now, but normally I would also check there, to
    > see if what you're seeing is backed up by a local / global increase. You
    > could also submit it to the handlers there, they do good Sherlock Holmes
    > work, if they've got time.
    >
    > If this is what it looks like (perps scanning for non-standard backdoors)
    > then it would be good to investigate further. Then again it could just be
    > nothing, who knows.
    >
    > Cheers,
    >
    > ben
    >
    >> -----Original Message-----
    >> From: firewall-wizards-admin@honor.icsalabs.com
    >> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of SiegeX
    >> Sent: Monday, November 15, 2004 3:05 AM
    >> To: firewall-wizards@honor.icsalabs.com
    >> Subject: [fw-wiz] Odd scan to port 36867
    >>
    >> Hi guys, I recently decided to write a simple bash script to
    >> go through all my iptables logs and see which ports were
    >> being hit the most. Note that I only logged NEW connections
    >> to ports that arnt open on my computer. Here are the top 10 results
    >>
    >> 495 36867
    > [...]
    >> Below is a sample from my
    >> iptables logs so you can see what Im parsing.
    >>
    >> Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT=
    >> MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00
    >> SRC=142.177.185.232 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00
    >> TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867
    >> SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
    >>
    >> Just to make sure that this port is not being hit by one or
    >> two differnt guys, I parsed my logs to see how many unique
    >> ip's were hitting port 36867 and I came up with 173 unique
    >> IP's.
    > [...]
    >> Ive yet to cross reference the 173 unique IP's
    >> hitting port 36867 to Maxmind's database, but I have a strong
    >> feeling that they are comming from Germany. I hope you guys
    >> have a better clue whats going on than I do. Thanks.
    >>
    >> -Sean
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Ralema Geno: "[fw-wiz] Help- Nat-t"

    Relevant Pages

    • RE: [fw-wiz] Odd scan to port 36867
      ... Could be malware activity, or someone scanning for backdoors / botnets. ... of the current big name malware uses that port by default AFAIK, ... I'd be interested in seeing more of the logs - there might be ...
      (Firewall-Wizards)
    • Re: Strange WAN Activity
      ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
      (microsoft.public.win2000.security)
    • Re: Identifying Internet Attacks
      ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
      (microsoft.public.inetserver.iis.security)
    • Re: Question about file permissions
      ... system log files. ... the system logs. ... such _may_ offer a better chance of connecting. ... to connect know about the non-standard port. ...
      (alt.os.linux.suse)
    • Re: false portscan alarm
      ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
      (comp.security.firewalls)