Re: 6112/TCP scans
From: Paul Dokas (dokas@cs.umn.edu)Date: 12/11/01
- Previous message: Seamus Hartmann: "Internal Machine making many attempts to connect to Internet on 1 37"
- In reply to: dewt: "Re: 6112/TCP scans"
- Next in thread: Neil Long: "Re: 6112/TCP scans"
- Reply: Neil Long: "Re: 6112/TCP scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Dec 2001 15:18:58 -0600 From: Paul Dokas <dokas@cs.umn.edu> To: dewt <dewt@kc.rr.com>
On Fri, Dec 07, 2001 at 05:57:42PM -0600, dewt wrote:
> On Friday 07 December 2001 03:14 pm, Paul Dokas wrote:
> > Is anyone else seeing large numbers of 6112/TCP scan coming from
> > 63.240.0.0 - 63.242.255.255? I'm seeing about 10/minute destined to
> > random IPs within my networks. The scanning technique looks exactly
> > like the TCPMUX scans that were occuring a few months ago (forgive me,
> > I can't remember what the technique was, just that it was really odd).
> >
> > Obviously, they're looking for vulnerable CDE installations.
> >
> > Paul
>
> 6112 is the port used by blizzard's battlenet, you might just have people
> playing diablo 2,starcraft, or whatever on your network
You know, at first, this sounded right to me. However, over the weekend
and yesterday, my IDS picked up lots of this:
Time Source IP Dest IP Protocol Src Port Dest Port Type Connections/Packets
9-Dec-2001 12:56:27 63.240.202.138 A.B.C.26 6 1248 6112 bad dst port 1
9-Dec-2001 12:56:27 63.240.202.138 A.B.E.27 6 1193 6112 bad dst port 1
9-Dec-2001 12:56:37 63.240.202.138 A.B.F.69 6 1208 6112 bad dst port 1
9-Dec-2001 12:55:56 63.240.202.138 A.B.G.38 6 1128 6112 bad dst port 1
9-Dec-2001 12:56:07 63.240.202.138 A.B.G.43 6 1139 6112 bad dst port 1
9-Dec-2001 12:56:57 63.240.202.138 A.B.D.116 6 1127 6112 bad dst port 1
9-Dec-2001 12:57:37 63.240.202.138 A.B.D.105 6 1099 6112 bad dst port 1
9-Dec-2001 12:57:37 63.240.202.138 A.B.G.100 6 1176 6112 bad dst port 1
.
.
.
Where I've replace my IP addresses with 'A.B.[CDEFG].' All of the packets
were 40bytes and not all of the destination IP addresses are being used.
The source of the packets were 63.240.202.138, 63.240.202.139 and
63.240.202.140, the destination was always 6112/TCP. I've got ~450
packets over the 4 day period from 00:00 GMT+6 12/8 through this morning
for my /21 network.
To me, it looks like there was a slow scan with randomized destinations going
until Friday. Then it seems to have switched to a faster type of scan, or
possibly to just scanning my class A or B network.
Also, there does appear to be legitimate battlenet traffic going to that
area of the Internet. Perhaps someone is scanning from those IPs specifically
to hide within the legit battlenet traffic?
Paul
-- Paul Dokas dokas@cs.umn.edu ====================================================================== Don Juan Matus: an enigma wrapped in mystery wrapped in a tortilla.---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Seamus Hartmann: "Internal Machine making many attempts to connect to Internet on 1 37"
- In reply to: dewt: "Re: 6112/TCP scans"
- Next in thread: Neil Long: "Re: 6112/TCP scans"
- Reply: Neil Long: "Re: 6112/TCP scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
