RE: Subseven Scans

From: Robert Buckley (rbuckley@synapsemail.com)
Date: 08/13/02 

From: Robert Buckley <rbuckley@synapsemail.com>
To: "'Baribault, Gary'" <gary@baribault.net>, grdnwsl <grdnwsl@mrichi.com>, Rob Keown <Keown@MACDIRECT.COM>
Date: Tue, 13 Aug 2002 06:44:54 -0400

Here is a snippet from my Shadow IDS report on the matter...
This isnt the 1st report either. We were probed at least one time more, at a
later date.

A Sequentially Distributed RECON probe for SubSeven V 2.1 port 27374 started

on Jul-17-2002 at 15:39:31 hours and ended on Jul-17-2002 at 22:36:34 hours.

The success of the attack was rated under the success rate algorythym as a
-3
(criticality + lethality) - (netcounters + hostcounters)
(3 + 5) - (5 + 5) = -3

The analyses proved that 23 seperate hosts were used for the attack. Each
host
probing the our entire external class c for approx 1 minute on one single
port (27374 TCP.) There was a time lapse between each scan sweep, which
indicated the attack was not used for a distributed denial of service.
It also indicates that it is possible the attack was performed by one
individual controlling many hosts. The TTL Values and the WINDOW SIZE values
were examined for differences, and indicated that these hosts were not used
as decoys, nor were their addresses spoofed.

A recon probe against the attacking hosts that were up, indicated that they
are all windows hosts, all with port 139 open to the public. Some hosts did
show signs of being compromised and had virus' present. It was determined
that all attacking hosts are unknowingly being used to attack other systems.
No IP registry trace was done on the attacking hosts because of that reason.

No hosts from our range responded to the attack.

Below is the base information on the hosts used during the attack.

218.233.3.203 (15:39:31 - 15:40:26) TTL = 110, Win = 8192
66.24.202.248 (15:41:49 - 15:42:49) TTL = 46, Win = 4000
211.228.10.15 (15:41:49 - 15:42:41) TTL = 112, Win = 16384
24.71.34.22 (16:35:50 - 16:36:46) TTL = 112, Win = 8192
211.236.200.147 (16:41:30 - 16:42:22) TTL = 111, Win =16384
216.236.40.220 (16:47:30 - 16:47:52) TTL = 118, Win = 8192
142.179.234.35 (17:13:23 - 17:13:57) TTL = 112, Win = 8192
218.154.176.67 (17:29:55 - 17:30:40) TTL = 112, Win = 16384
61.84.235.145 (17:57:36 - 17:58:17) TTL = 112, Win = 8192
217.128.15.218 (18:50:30 - 18:51:31) TTL = 115, Win = 32768
211.207.25.102 (18:55:48 - 18:56:39) TTL = 112, Win = 8192
151.30.194.39 (20:08:26 - 20:09:17) TTL = 113, Win = 32768
24.112.88.252 (20:17:15 -20:17:49) TTL = 111, Win = 8192
65.29.80.22 (20:41:11 - 20:41:46) TTL = 112, Win = 8192
213.225.61.124 (20:56:42 - 20:57:26) TTL = 113, Win = 16384
61.79.94.143 (21:13:42 - 21:14:32) TTL = 112, Win = 8192
62.64.233.250 (21:17:02 - 21:17:53) TTL = 111, Win = 8192
206.30.150.213 (21:35:39 - 21:36:23) TTL = 109, Win = 8760
209.245.195.93 (21:36:08 - 21:36:54) TTL = 114, Win = 8760
211.200.87.28 (21:36:30 - 21:37:14) TTL = 112, Win = 16384
211.221.103.44 (22:12:23 - 22:13:11) TTL = 111, Win = 16384
213.23.55.246 (22:31:25 - 22:32:25) TTL = 113, Win = 8192
211.211.85.143 (22:35:57 - 22:26:34) TTL = 112, Win = 8192

-----Original Message-----
From: Baribault, Gary [mailto:gary@baribault.net]
Sent: Monday, August 12, 2002 3:13 PM
To: grdnwsl; Rob Keown
Cc: incidents@securityfocus.com
Subject: Re: Subseven Scans

Hum .. I just found a bunch of 27374 on one of my SDSL link with a few of
the 12345 scans. This link's firewall is allways way more active. My second
is an ADSL and it's usually quieter, this one has no 12345 but a few 27374.

Gary B

At 11:08 AM 8/12/2002 -0500, Preston Kutzner wrote:
>Hello Rob,
>
>Sunday, August 11, 2002, 8:42:50 AM, you wrote:
>
>RK> Anyone else seeing a huge increase in subseven scans...6708 since about
>RK> 0300Z - across all of my class C's and from quite a few sources
>(running the
>RK> query now to see how many).
>
>RK> Rob
>
>
>RK>
>---------------------------------------------------------------------------
-
>RK> This list is provided by the SecurityFocus ARIS analyzer service.
>RK> For more information on this free incident handling, management
>RK> and tracking system please see: http://aris.securityfocus.com
>
>I've seen quite a bit of traffic on ports tcp/12345 and tcp/27374.
>According to what I've seen, 27374 is a port used by quite a few
>versions of SubSeven, as for 12345, it's not mentioned that subseven
>runs on that port (that I've seen), but I am seeing attempted
>connections to these ports at the same time (maybe some other vuln
>attempt I'm not aware of? anyone?). Hope that helps.
>
>--
>Preston Kutzner | IT Manager
>Marketing Resources, Inc.
>
>_________________________________________________________________
>The information transmitted is intended only for the person or entity to
>which it is addressed and may contain confidential and/or privileged
>material. Any review, retransmission, dissemination or other use of, or
>taking of any action in reliance upon, this information by persons or
>entities other than the intended recipient is prohibited. If you received
>this in error, please contact the sender and delete the material from any
>computer.
>
>
>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • ipfilter traffic blocking and tcpdump snort etc
    ... block in quick on fxp0 from 208.186.60.116 to any ... Is there any alternative method of blocking access from certain hosts ... the blocked hosts were part of a denial of service attack ... for any of the hosts attempting to connect on port 80. ...
    (freebsd-questions)
  • RE: Strange loopback in firefox.
    ... described as heavy attack from outside IP addresses. ... either using the Microsoft_DS port or epmap port to connect). ... For example a connection from port 3014 to 3015 and the next ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • FW: Legal? Road Runner proactive scanning.[Scanned]
    ... You consider a port scan to be an attack? ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
    (Security-Basics)
  • Re: SSH server under attack...
    ... It's highly possible that even though you changed the port, an automated script discovered the new port by probing the ports and matching version numbers, ie: ... the new machine to attack me is 200.55.192.29. ... Failed password for invalid user admin from::ffff:200.55.192.29 port ...
    (Security-Basics)
  • Re: SSO fails when machine is connected to network
    ... I added an entry to both the hosts and lmhosts files and I ... (this message came when I tried to delete the receive port to add it again) ... I have a named workgroup using the name of the machine. ... network adapter or add another explicit loopback) that is not 127.0.0.1. ...
    (microsoft.public.biztalk.server)