RE: Increase in scans on TCP port 1 (tcpmux)?
From: Joe Luna (joe.luna_at_kinkos.com)
Date: 08/25/03
- Previous message: Brian Benitez: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
- Maybe in reply to: Kevin Patz: "Increase in scans on TCP port 1 (tcpmux)?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Aug 2003 10:38:10 -0700 To: Kevin Patz <jambo_cat@yahoo.com>, incidents@securityfocus.com
I have noticed this also; my logs show an increase in this type of
traffic starting on 08/20 @ 23:06:05 PDT.
Here is a list of sources:
24.107.xxx.xxx
24.114.xxx.xxx
24.118.xxx.xxx
24.118.xxx.xxx
24.120.xxx.xxx
24.125.xxx.xxx
24.126.xxx.xxx
24.126.xxx.xxx
24.126.xxx.xxx
24.128.xxx.xxx
24.128.xxx.xxx
24.128.xxx.xxx
24.129.xxx.xxx
24.129.xxx.xxx
24.129.xxx.xxx
24.129.xxx.xxx
24.91.xxx.xxx
24.98.xxx.xxx
-Joe
-----Original Message-----
From: Kevin Patz [mailto:jambo_cat@yahoo.com]
Sent: Thursday, August 21, 2003 8:36 AM
To: incidents@securityfocus.com
Subject: Increase in scans on TCP port 1 (tcpmux)?
Over the past couple days I've noticed an increase in
scans targeting TCP port 1. While looking at my logs,
I noticed an odd pattern to the Source IPs of these
scans. If you look at the listing below, it looks
like the scans started coming from 24.62, then 24.61,
24.60, 20.59, and 24.58 IP addresses. 24.60 thru
24.62 belong to attbi (now Comcast), 24.58 thru 24.59
belong to Time Warner Cable (RoadRunner), Syracuse NY.
Has anyone else seen these? Any ideas what they could
be? I'm guessing from the pattern that either it's a
backdoor trojan that's being exploited to trigger
scans, and the controlling hacker is hitting IP ranges
sequentially in decreasing order, or the source IPs
are spoofed.
Date, Time(EST), Source:Port, Dest:Port, TTL
8/20/2003,22:29:26,24.62.162.192:1667,24.62.xxx.xxx:1,1
26
8/20/2003,23:32:19,24.62.162.192:1956,24.62.xxx.xxx:1,1
26
8/20/2003,23:46:14,24.62.135.7:4489,24.62.xxx.xxx:1,117
8/20/2003,23:46:17,24.62.135.7:4489,24.62.xxx.xxx:1,118
8/20/2003,23:50:28,24.62.135.22:4546,24.62.xxx.xxx:1,11
7
8/20/2003,23:50:31,24.62.135.22:4546,24.62.xxx.xxx:1,11
8
8/21/2003,00:43:26,24.62.50.205:4747,24.62.xxx.xxx:1,11
7
8/21/2003,00:43:29,24.62.50.205:4747,24.62.xxx.xxx:1,11
7
8/21/2003,01:34:34,24.61.141.26:1911,24.62.xxx.xxx:1,12
3
8/21/2003,01:34:37,24.61.141.26:1911,24.62.xxx.xxx:1,12
3
8/21/2003,01:58:55,24.61.171.35:2841,24.62.xxx.xxx:1,12
1
8/21/2003,01:58:58,24.61.171.35:2841,24.62.xxx.xxx:1,12
1
8/21/2003,02:08:07,24.61.170.195:2610,24.62.xxx.xxx:1,1
21
8/21/2003,02:08:10,24.61.170.195:2610,24.62.xxx.xxx:1,1
21
8/21/2003,02:53:29,24.61.20.136:4690,24.62.xxx.xxx:1,12
1
8/21/2003,02:53:32,24.61.20.136:4690,24.62.xxx.xxx:1,12
1
8/21/2003,03:35:02,24.60.214.72:1854,24.62.xxx.xxx:1,11
9
8/21/2003,03:35:05,24.60.214.72:1854,24.62.xxx.xxx:1,11
9
8/21/2003,04:49:49,24.60.88.189:3873,24.62.xxx.xxx:1,11
5
8/21/2003,04:49:52,24.60.88.189:3873,24.62.xxx.xxx:1,11
5
8/21/2003,05:41:36,24.60.109.210:2508,24.62.xxx.xxx:1,1
16
8/21/2003,06:18:38,24.60.36.124:3409,24.62.xxx.xxx:1,11
6
8/21/2003,06:18:41,24.60.36.124:3409,24.62.xxx.xxx:1,11
6
8/21/2003,07:09:44,24.59.127.69:2172,24.62.xxx.xxx:1,10
7
8/21/2003,07:22:54,24.59.104.254:3814,24.62.xxx.xxx:1,1
09
8/21/2003,07:22:57,24.59.104.254:3814,24.62.xxx.xxx:1,1
09
8/21/2003,07:24:15,24.59.99.37:1350,24.62.xxx.xxx:1,108
8/21/2003,07:24:18,24.59.99.37:1350,24.62.xxx.xxx:1,108
8/21/2003,07:35:39,24.59.141.186:3722,24.62.xxx.xxx:1,1
08
8/21/2003,07:35:42,24.59.141.186:3722,24.62.xxx.xxx:1,1
08
8/21/2003,08:42:59,24.58.227.72:4253,24.62.xxx.xxx:1,10
8
8/21/2003,08:43:02,24.58.227.72:4253,24.62.xxx.xxx:1,10
8
8/21/2003,09:06:22,24.58.235.75:2041,24.62.xxx.xxx:1,10
9
8/21/2003,09:06:25,24.58.235.75:2041,24.62.xxx.xxx:1,10
9
8/21/2003,10:01:09,24.58.119.204:2355,24.62.xxx.xxx:1,1
09
8/21/2003,10:01:12,24.58.119.204:2355,24.62.xxx.xxx:1,1
09
8/21/2003,10:56:16,24.59.58.234:2318,24.62.xxx.xxx:1,10
8
8/21/2003,10:56:19,24.59.58.234:2318,24.62.xxx.xxx:1,10
8
------------------------------------------------------------------------
--- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Brian Benitez: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
- Maybe in reply to: Kevin Patz: "Increase in scans on TCP port 1 (tcpmux)?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
