[Full-Disclosure] could use some help with this logging

From: Peter (full-disclosure_at_icebear.net)
Date: 11/10/04

  • Next message: Paul Starzetz: "[Full-Disclosure] Linux ELF loader vulnerabilities"
    To: <full-disclosure@lists.netsys.com>
    Date: Wed, 10 Nov 2004 11:52:37 +0100
    
    

    Hi
     
    I was hoping someone could kinda help me.. I have some reporting from our
    firewall that produces the following output. I have to analyze this traffic
    but i have to confess that i can not make out if this traffic is malicious
    or not or what it is except for the obvious port 80 en port 443.
     
    I hope someone could give me some hints about the traffic
     
     
    regards Peter
     
    ----------------------
     

    From source address: [145.x.x.x] (339970 hits to 751 Destinations)

    * Destination: [66.235.181.59] (10066 hits to 11 ports)

    * 30816 (1020)

    * 32800 (1020)

    * 34840 (695)

    * 36896 (647)

    * 443 (1480)

    * 46992 (1033)

    * 47488 (702)

    * 51040 (696)

    * 51536 (1286)

    * 80 (1480)

    * Destination: [80.160.91.12] (4721 hits to 6 ports)

    * 11656 (1708)

    * 15768 (1345)

    * 17824 (689)

    * 443 (486)

    * 80 (486)

    * Destination: herning.hostero.pil.dk [195.41.47.100] (3936 hits to 6
    ports)

    * 23400 (689)

    * 32488 (689)

    * 443 (429)

    * 58672 (1376)

    * 80 (429)

    * 9736 (324)

    * Destination: host-103-142-230-24.midco.net [24.230.142.103] (1937
    hits to 3 ports)

    * 443 (115)

    * 54576 (1707)

    * 80 (115)

    * Destination: dhcp085150.res-hall.northwestern.edu [199.74.85.150]
    (1805 hits to 3 ports)

    * 36865 (1315)

    * 443 (245)

    * 80 (245)

    * Destination: bzq-82-81-199-233.cablep.bezeqint.net [82.81.199.233]
    (1753 hits to 3 ports)

    * 27447 (1225)

    * 443 (264)

    * 80 (264)

    * Destination: host243-217.eksjo.com [195.49.243.217] (1732 hits to 3
    ports)

    * 443 (181)

    * 52238 (1370)

    * 80 (181)

    * Destination: syr-69-201-1-3.twcny.rr.com [69.201.1.3] (1727 hits to
    3 ports)

    * 17067 (1379)

    * 443 (174)

    * 80 (174)

    * Destination: [202.199.162.97] (1712 hits to 3 ports)

    * 443 (188)

    * 49307 (1336)

    * 80 (188)

    * Destination: studentcnsat.ncl.ac.uk [128.240.4.237] (1712 hits to 3
    ports)

    * 39793 (1376)

    * 443 (168)

    * 80 (168)

    * Destination: sm-pc314.sm.luth.se [130.240.3.87] (1705 hits to 3
    ports)

    * 443 (163)

    * 51563 (1379)

    * 80 (163)

    * Destination: 68-185-51-218.wa.charter.com [68.185.51.218] (1699 hits
    to 3 ports)

    * 29253 (1356)

    * 443 (172)

    * 80 (171)

    * Destination: henz214-dharnisch-dellpc2.unl.edu [129.93.84.97] (1679
    hits to 3 ports)

    * 44286 (1373)

    * 443 (153)

    * 80 (153)

    * Destination: ip68-13-164-36.om.om.cox.net [68.13.164.36] (1677 hits
    to 3 ports)

    * 13699 (1361)

    * 443 (158)

    * 80 (158)

    * Destination: 3E6B1B51.rev.stofanet.dk [62.107.27.81] (1669 hits to 3
    ports)

    * 443 (155)

    * 5472 (1359)

    * 80 (155)

    * Destination: YahooBB220006060057.bbtec.net [220.6.60.57] (1659 hits
    to 3 ports)

    * 443 (148)

    * 44753 (1363)

    * 80 (148)

    * Destination: c-495070d5.027-317-73746f7.cust.bredbandsbolaget.se
    [213.112.80.73] (1658 hits to 3 ports)

    * 33435 (1374)

    * 443 (142)

    * 80 (142)

    * Destination: errorek.sh.cvut.cz [147.32.118.118] (1647 hits to 3
    ports)

    * 13972 (1375)

    * 443 (136)

    * 80 (136)

    * Destination: 82-35-52-107.cable.ubr03.camd.blueyonder.co.uk
    [82.35.52.107] (1635 hits to 3 ports)

    * 443 (257)

    * 64553 (1121)

    * 80 (257)

    * Destination: c-24-125-75-142.va.client2.attbi.com [24.125.75.142]
    (1617 hits to 3 ports)

    * 443 (127)

    * 52838 (1363)

    * 80 (127)

    * Destination: YahooBB220026145016.bbtec.net [220.26.145.16] (1616
    hits to 3 ports)

    * 15850 (1300)

    * 443 (158)

    * 80 (158)

    * Destination: ip-56.59.home-lan.fastnet.lv [80.81.59.56] (1584 hits
    to 3 ports)

    * 31202 (1242)

    * 443 (171)

    * 80 (171)

    * Destination: 24-205-105-48.rno-cres.charterpipeline.net
    [24.205.105.48] (1562 hits to 3 ports)

    * 443 (271)

    * 55645 (1020)

    * 80 (271)

    * Destination: rs-64-246-49-61.ev1.net [64.246.49.61] (1535 hits to 3
    ports)

    * 443 (261)

    * 7856 (1013)

    * 80 (261)

    * Destination: modemcable128.159-203-24.mc.videotron.ca
    [24.203.159.128] (1528 hits to 3 ports)

    * 443 (76)

    * 59950 (1376)

    * 80 (76)

    * Destination: [212.179.162.1722] (1525 hits to 3 ports)

    * 34489 (1027)

    * 443 (249)

    * 80 (249)

    From source address: [145.x.x.x] (236377 hits to 324 Destinations)

    * Destination: rs-64-246-49-61.ev1.net [64.246.49.61] (5936 hits to 7
    ports)

    * 11912 (788)

    * 17944 (788)

    * 20480 (788)

    * 3760 (788)

    * 443 (998)

    * 7856 (788)

    * 80 (998)

    * Destination: [66.235.181.59] (5858 hits to 7 ports)

    * 15432 (788)

    * 20480 (789)

    * 34840 (788)

    * 36896 (789)

    * 443 (958)

    * 44968 (788)

    * 80 (958)

    * Destination: herning.hostero.pil.dk [195.41.47.100] (4664 hits to 6
    ports)

    * 15776 (788)

    * 443 (756)

    * 63680 (788)

    * 7784 (788)

    * 80 (756)

    * 9736 (788)

    * Destination: pk47st119.uio.no [129.240.47.119] (1246 hits to 3
    ports)

    * 3367 (788)

    * 443 (229)

    * 80 (229)

    * Destination: [220.234.32.84] (1234 hits to 3 ports)

    * 3661 (788)

    * 443 (223)

    * 80 (223)

    * Destination: c213-100-56-238.swipnet.se [213.100.56.238] (1230 hits
    to 3 ports)

    * 443 (221)

    * 46934 (788)

    * 80 (221)

    * Destination: rliex01.studbost.vxu.se [194.47.126.123] (1228 hits to
    3 ports)

    * 443 (220)

    * 44378 (788)

    * 80 (220)

    * Destination: i222-150-141-238.s05.a008.ap.plala.or.jp
    [222.150.141.238] (1226 hits to 3 ports)

    * 443 (219)

    * 44764 (788)

    * 80 (219)

    * Destination: catv-d5de8038.catv.broadband.hu [213.222.128.56] (1224
    hits to 3 ports)

    * 443 (218)

    * 80 (218)

    * 8014 (788)

    * Destination: [200.222.81.173] (1221 hits to 3 ports)

    * 443 (216)

    * 45805 (789)

    * 80 (216)

    * Destination: cablep-179-105-241.cablep.bezeqint.net
    [212.179.105.241] (1220 hits to 3 ports)

    * 443 (216)

    * 61365 (788)

    * 80 (216)

    * Destination: sr-145.srtb05.resnet.ubc.ca [128.189.142.145] (1220
    hits to 3 ports)

    * 443 (216)

    * 55964 (788)

    * 80 (216)

    * Destination: [163.23.218.93] (1220 hits to 3 ports)

    * 14457 (788)

    * 443 (216)

    * 80 (216)

    * Destination: c-208672d5.02-66-73746f42.cust.bredbandsbolaget.se
    [213.114.134.32] (1219 hits to 3 ports)

    * 443 (215)

    * 54259 (789)

    * 80 (215)

    * Destination: rdu162-239-101.nc.rr.com [24.162.239.101] (1219 hits to
    3 ports)

    * 443 (215)

    * 80 (215)

    * 9014 (789)

    * Destination: [83.209.5.16] (1217 hits to 3 ports)

    * 14657 (789)

    * 443 (214)

    * 80 (214)

    * Destination: [210.107.135.91] (1217 hits to 3 ports)

    * 443 (214)

    * 48383 (789)

    * 80 (214)

    * Destination: drzhangpc.cs.wright.edu [130.108.13.154] (1216 hits to
    3 ports)

    * 24071 (788)

    * 443 (214)

    * 80 (214)

    * Destination: d5153A343.kabel.telenet.be [81.83.163.67] (1215 hits to
    3 ports)

    * 36119 (789)

    * 443 (213)

    * 80 (213)

    * Destination: gislab4.csie.thu.edu.tw [140.128.101.74] (1214 hits to
    3 ports)

    * 443 (213)

    * 57818 (788)

    * 80 (213)

    * Destination: cs2426239-108.satx.rr.com [24.26.239.108] (1212 hits to
    3 ports)

    * 36519 (788)

    * 443 (212)

    * 80 (212)

    * Destination: bzq-218-158-130.cablep.bezeqint.net [81.218.158.130]
    (1210 hits to 3 ports)

    * 443 (211)

    * 80 (211)

    * 8303 (788)

    * Destination: orff.wiwi.uni-rostock.de [139.30.131.69] (1210 hits to
    3 ports)

    * 443 (211)

    * 58252 (788)

    * 80 (211)

    * Destination: c906156e.virtua.com.br [201.6.21.110] (1210 hits to 3
    ports)

    * 443 (211)

    * 6557 (788)

    * 80 (211)

    * Destination: pc-202-169-152-251.cable.kumin.ne.jp [202.169.152.251]
    (1210 hits to 3 ports)

    * 443 (211)

    * 64700 (788)

    * 80 (211)

    * Destination: CPE-65-30-247-82.mn.rr.com [65.30.247.82] (1209 hits to
    3 ports)

    * 10791 (789)

    * 443 (210)

    * 80 (210)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Paul Starzetz: "[Full-Disclosure] Linux ELF loader vulnerabilities"