Re: What is the Pattern here ?

From: !:?) (_at_*.com)
Date: 07/30/04 

Date: Fri, 30 Jul 2004 09:54:36 GMT

Hi,

Wolfgang Kueter wrote:
>
> Why do install a piece of software though you don't understand its output?
>
> Wolfgang

It's a pretty strait forward question and yes I do understand the output
but either you don't understand the question or you don't understand the
Output.

The Log speaks for itself and is why I didn't go into detail.

Your reply appears to be Trollish in looking to insult the poster from
the get go.

If this wasn't your intent I'm sorry but if it was then Kill File will
soon have you talking to yourself.

The Question was "What is the Pattern the Log shows" ?

You can see the Probes on 4 or 5 ports 3x on each one, one after the
other by the same IP that is the Pattern in the Log.

There are others that show a small group of 2 to 4 IP's doing it
together but I'm not sure that one of those types of probes is in this
Log I Posted.

And they are ALL Dial-Up Accounts !

At first I thought they were Zombies probing Server Ports for other
Zombied DNS or Web Servers with low TTL's but now they're hitting Ports
up to 60,000 at times.

However most are the same probed ports day after day.
2745
5000
6169
3127
80
139

Sometimes I see port 445 or an ICMP block at the beginning or end with
the same IP but this is rare and has nothing to do with the pattern.

There is one IP that comes back to my area that probes me every day that
must do whole IP Blocks because I'm a Dial-up too with the same ISP.

179.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net

If I do a DNS, Traceroute, and NetBios ect... in return they drop the
connection but come back with a new IP to probe again.
Most times after I do the Traces they can detect they go away for hours.

These must be Zombied Machines because this is every day all day but the
way they act when I probe back makes me wonder if they are Zombies.
And the fact I see the same ATT Dial-up IP's from cambridge, pitsburg
and NJ.

Almost all are ATT but some are not.
And when they do it as a group there are like 2 to 4 att and 1 to 3 non att.

I've also seen other probers (don't think they are the same ones) that
think I'm running a Lenix Box by the ports they sometimes probe looking
for a specific venerability.

But they give up and go away where these others don't.

Kevin

Relevant Pages

  • Re: failed shields up test
    ... probing application like nmap on this laptop, and probe my firewall. ... This allows me to use ANY protocols, any ports, or IP addresses without ... worrying about what the ISP may think. ...
    (alt.os.linux.suse)
  • Re: TCP_Probe_HTTP
    ... attacker will probe many ports, ... Monitoring for access attempts against unused service ports points ...
    (comp.security.firewalls)
  • RE: TCP port 5000 syn increasing
    ... > IPs hit those three ports in the last 24 hours"? ... IP addresses) interspersed with an occasional probe on 5000 from the *same* ... Adjunct Information Security Officer ... the comprehensive security solution that combines six ...
    (Incidents)
  • Re: [SLE] Firewall interpretation request
    ... If you want to know what those ports are for, ... |> The details of the header fields can be found in the RFC documents on ... They probe ports one by one to see which one, if any, responds (ie,it's ...
    (SuSE)