[Full-Disclosure] could use some help with this logging

From: Peter (full-disclosure_at_icebear.net)
Date: 11/10/04

  • Next message: Paul Starzetz: "[Full-Disclosure] Linux ELF loader vulnerabilities"
    To: <full-disclosure@lists.netsys.com>
    Date: Wed, 10 Nov 2004 11:52:37 +0100
    
    

    Hi
     
    I was hoping someone could kinda help me.. I have some reporting from our
    firewall that produces the following output. I have to analyze this traffic
    but i have to confess that i can not make out if this traffic is malicious
    or not or what it is except for the obvious port 80 en port 443.
     
    I hope someone could give me some hints about the traffic
     
     
    regards Peter
     
    ----------------------
     

    From source address: [145.x.x.x] (339970 hits to 751 Destinations)

    * Destination: [66.235.181.59] (10066 hits to 11 ports)

    * 30816 (1020)

    * 32800 (1020)

    * 34840 (695)

    * 36896 (647)

    * 443 (1480)

    * 46992 (1033)

    * 47488 (702)

    * 51040 (696)

    * 51536 (1286)

    * 80 (1480)

    * Destination: [80.160.91.12] (4721 hits to 6 ports)

    * 11656 (1708)

    * 15768 (1345)

    * 17824 (689)

    * 443 (486)

    * 80 (486)

    * Destination: herning.hostero.pil.dk [195.41.47.100] (3936 hits to 6
    ports)

    * 23400 (689)

    * 32488 (689)

    * 443 (429)

    * 58672 (1376)

    * 80 (429)

    * 9736 (324)

    * Destination: host-103-142-230-24.midco.net [24.230.142.103] (1937
    hits to 3 ports)

    * 443 (115)

    * 54576 (1707)

    * 80 (115)

    * Destination: dhcp085150.res-hall.northwestern.edu [199.74.85.150]
    (1805 hits to 3 ports)

    * 36865 (1315)

    * 443 (245)

    * 80 (245)

    * Destination: bzq-82-81-199-233.cablep.bezeqint.net [82.81.199.233]
    (1753 hits to 3 ports)

    * 27447 (1225)

    * 443 (264)

    * 80 (264)

    * Destination: host243-217.eksjo.com [195.49.243.217] (1732 hits to 3
    ports)

    * 443 (181)

    * 52238 (1370)

    * 80 (181)

    * Destination: syr-69-201-1-3.twcny.rr.com [69.201.1.3] (1727 hits to
    3 ports)

    * 17067 (1379)

    * 443 (174)

    * 80 (174)

    * Destination: [202.199.162.97] (1712 hits to 3 ports)

    * 443 (188)

    * 49307 (1336)

    * 80 (188)

    * Destination: studentcnsat.ncl.ac.uk [128.240.4.237] (1712 hits to 3
    ports)

    * 39793 (1376)

    * 443 (168)

    * 80 (168)

    * Destination: sm-pc314.sm.luth.se [130.240.3.87] (1705 hits to 3
    ports)

    * 443 (163)

    * 51563 (1379)

    * 80 (163)

    * Destination: 68-185-51-218.wa.charter.com [68.185.51.218] (1699 hits
    to 3 ports)

    * 29253 (1356)

    * 443 (172)

    * 80 (171)

    * Destination: henz214-dharnisch-dellpc2.unl.edu [129.93.84.97] (1679
    hits to 3 ports)

    * 44286 (1373)

    * 443 (153)

    * 80 (153)

    * Destination: ip68-13-164-36.om.om.cox.net [68.13.164.36] (1677 hits
    to 3 ports)

    * 13699 (1361)

    * 443 (158)

    * 80 (158)

    * Destination: 3E6B1B51.rev.stofanet.dk [62.107.27.81] (1669 hits to 3
    ports)

    * 443 (155)

    * 5472 (1359)

    * 80 (155)

    * Destination: YahooBB220006060057.bbtec.net [220.6.60.57] (1659 hits
    to 3 ports)

    * 443 (148)

    * 44753 (1363)

    * 80 (148)

    * Destination: c-495070d5.027-317-73746f7.cust.bredbandsbolaget.se
    [213.112.80.73] (1658 hits to 3 ports)

    * 33435 (1374)

    * 443 (142)

    * 80 (142)

    * Destination: errorek.sh.cvut.cz [147.32.118.118] (1647 hits to 3
    ports)

    * 13972 (1375)

    * 443 (136)

    * 80 (136)

    * Destination: 82-35-52-107.cable.ubr03.camd.blueyonder.co.uk
    [82.35.52.107] (1635 hits to 3 ports)

    * 443 (257)

    * 64553 (1121)

    * 80 (257)

    * Destination: c-24-125-75-142.va.client2.attbi.com [24.125.75.142]
    (1617 hits to 3 ports)

    * 443 (127)

    * 52838 (1363)

    * 80 (127)

    * Destination: YahooBB220026145016.bbtec.net [220.26.145.16] (1616
    hits to 3 ports)

    * 15850 (1300)

    * 443 (158)

    * 80 (158)

    * Destination: ip-56.59.home-lan.fastnet.lv [80.81.59.56] (1584 hits
    to 3 ports)

    * 31202 (1242)

    * 443 (171)

    * 80 (171)

    * Destination: 24-205-105-48.rno-cres.charterpipeline.net
    [24.205.105.48] (1562 hits to 3 ports)

    * 443 (271)

    * 55645 (1020)

    * 80 (271)

    * Destination: rs-64-246-49-61.ev1.net [64.246.49.61] (1535 hits to 3
    ports)

    * 443 (261)

    * 7856 (1013)

    * 80 (261)

    * Destination: modemcable128.159-203-24.mc.videotron.ca
    [24.203.159.128] (1528 hits to 3 ports)

    * 443 (76)

    * 59950 (1376)

    * 80 (76)

    * Destination: [212.179.162.1722] (1525 hits to 3 ports)

    * 34489 (1027)

    * 443 (249)

    * 80 (249)

    From source address: [145.x.x.x] (236377 hits to 324 Destinations)

    * Destination: rs-64-246-49-61.ev1.net [64.246.49.61] (5936 hits to 7
    ports)

    * 11912 (788)

    * 17944 (788)

    * 20480 (788)

    * 3760 (788)

    * 443 (998)

    * 7856 (788)

    * 80 (998)

    * Destination: [66.235.181.59] (5858 hits to 7 ports)

    * 15432 (788)

    * 20480 (789)

    * 34840 (788)

    * 36896 (789)

    * 443 (958)

    * 44968 (788)

    * 80 (958)

    * Destination: herning.hostero.pil.dk [195.41.47.100] (4664 hits to 6
    ports)

    * 15776 (788)

    * 443 (756)

    * 63680 (788)

    * 7784 (788)

    * 80 (756)

    * 9736 (788)

    * Destination: pk47st119.uio.no [129.240.47.119] (1246 hits to 3
    ports)

    * 3367 (788)

    * 443 (229)

    * 80 (229)

    * Destination: [220.234.32.84] (1234 hits to 3 ports)

    * 3661 (788)

    * 443 (223)

    * 80 (223)

    * Destination: c213-100-56-238.swipnet.se [213.100.56.238] (1230 hits
    to 3 ports)

    * 443 (221)

    * 46934 (788)

    * 80 (221)

    * Destination: rliex01.studbost.vxu.se [194.47.126.123] (1228 hits to
    3 ports)

    * 443 (220)

    * 44378 (788)

    * 80 (220)

    * Destination: i222-150-141-238.s05.a008.ap.plala.or.jp
    [222.150.141.238] (1226 hits to 3 ports)

    * 443 (219)

    * 44764 (788)

    * 80 (219)

    * Destination: catv-d5de8038.catv.broadband.hu [213.222.128.56] (1224
    hits to 3 ports)

    * 443 (218)

    * 80 (218)

    * 8014 (788)

    * Destination: [200.222.81.173] (1221 hits to 3 ports)

    * 443 (216)

    * 45805 (789)

    * 80 (216)

    * Destination: cablep-179-105-241.cablep.bezeqint.net
    [212.179.105.241] (1220 hits to 3 ports)

    * 443 (216)

    * 61365 (788)

    * 80 (216)

    * Destination: sr-145.srtb05.resnet.ubc.ca [128.189.142.145] (1220
    hits to 3 ports)

    * 443 (216)

    * 55964 (788)

    * 80 (216)

    * Destination: [163.23.218.93] (1220 hits to 3 ports)

    * 14457 (788)

    * 443 (216)

    * 80 (216)

    * Destination: c-208672d5.02-66-73746f42.cust.bredbandsbolaget.se
    [213.114.134.32] (1219 hits to 3 ports)

    * 443 (215)

    * 54259 (789)

    * 80 (215)

    * Destination: rdu162-239-101.nc.rr.com [24.162.239.101] (1219 hits to
    3 ports)

    * 443 (215)

    * 80 (215)

    * 9014 (789)

    * Destination: [83.209.5.16] (1217 hits to 3 ports)

    * 14657 (789)

    * 443 (214)

    * 80 (214)

    * Destination: [210.107.135.91] (1217 hits to 3 ports)

    * 443 (214)

    * 48383 (789)

    * 80 (214)

    * Destination: drzhangpc.cs.wright.edu [130.108.13.154] (1216 hits to
    3 ports)

    * 24071 (788)

    * 443 (214)

    * 80 (214)

    * Destination: d5153A343.kabel.telenet.be [81.83.163.67] (1215 hits to
    3 ports)

    * 36119 (789)

    * 443 (213)

    * 80 (213)

    * Destination: gislab4.csie.thu.edu.tw [140.128.101.74] (1214 hits to
    3 ports)

    * 443 (213)

    * 57818 (788)

    * 80 (213)

    * Destination: cs2426239-108.satx.rr.com [24.26.239.108] (1212 hits to
    3 ports)

    * 36519 (788)

    * 443 (212)

    * 80 (212)

    * Destination: bzq-218-158-130.cablep.bezeqint.net [81.218.158.130]
    (1210 hits to 3 ports)

    * 443 (211)

    * 80 (211)

    * 8303 (788)

    * Destination: orff.wiwi.uni-rostock.de [139.30.131.69] (1210 hits to
    3 ports)

    * 443 (211)

    * 58252 (788)

    * 80 (211)

    * Destination: c906156e.virtua.com.br [201.6.21.110] (1210 hits to 3
    ports)

    * 443 (211)

    * 6557 (788)

    * 80 (211)

    * Destination: pc-202-169-152-251.cable.kumin.ne.jp [202.169.152.251]
    (1210 hits to 3 ports)

    * 443 (211)

    * 64700 (788)

    * 80 (211)

    * Destination: CPE-65-30-247-82.mn.rr.com [65.30.247.82] (1209 hits to
    3 ports)

    * 10791 (789)

    * 443 (210)

    * 80 (210)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Paul Starzetz: "[Full-Disclosure] Linux ELF loader vulnerabilities"

    Relevant Pages

    • Re: Usenet weather phenomenon - the worm and the fool
      ... So far I like the worm. ... I had see the hits weeks ago and had quit logging the ports. ...
      (alt.computer.security)
    • Re: how dose a trojan horse work?
      ... firewalls that warn you of harmless attempts to gain access. ... someone hits hundreds of ports in a short time it might get my ... attention. ...
      (comp.security.firewalls)
    • [Full-Disclosure] could use some help with this logging
      ... firewall that produces the following output. ... I have to analyze this traffic ... hits to 3 ports) ... (1805 hits to 3 ports) ...
      (Full-Disclosure)
    • Re: Novice::Help>Split IP Address(port) + count
      ... > I am trying to split IP addresses from ports and count the destination ... > ports with the most hits and source IP addresses with the most hits ... > As you can see port 1434/udp is being logged as destination port, ... you should be able to modify the code you used to do that without ...
      (comp.lang.perl.misc)
    • Re: Root exploit for FreeBSD
      ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
      (freebsd-questions)