Re: tcp port 24992?
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 07/21/03
- Next message: Frank Z: "Am I more vulnerable using broadband?"
- Previous message: Walter Roberson: "Re: tcp port 24992?"
- In reply to: Walter Roberson: "Re: tcp port 24992?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Jul 2003 01:46:57 GMT
In article <bffcir$2oq$1@canopus.cc.umanitoba.ca>,
Walter Roberson <roberson@ibd.nrc-cnrc.gc.ca> wrote:
:Interestingly, I see another different repeated probe. The repetitions
:appear to be from 103.209.237.68 (which is reserved and unroutable)
:and the destination port is TCP 2425.
Another one detected: reserved/non-routable IP 37.189.122.55
to TCP port 11300; this time the destination address is one that
has not been populated for a minimum of 1 1/2 years -- possibly not
ever in the over 5 years that we've had the block.
The pattern is this:
At random-seeing times, from 15 minutes to hours apart, hosts attempt
to contact TCP ports on our machines, with the TCP ports having no
known trojan or security or public function. Nearly all the probes
claim to be from hosts in reserved IANA ranges, but there are
occasional (non-constant) routable addresses that try as well. Any
particular non-routeable address that appears is consistantly paired
with the same destination host+port. Any particular destination port
that appears is always associated with the same destination host --
we see no packets looking for that particular port on any other machine.
For any particular destination host+port, the packets from the
reserved IP address ranges have a consistant source port number,
but for the same destination host+port, the packets from the routable
addresses use different port numbers, possibly consistant per source
host. The source port number that is used by the reserved IP address
tends to be the most common.
The events do not all involve the same class C, and definitely do not
involve all MS Windows.
Ah, I now see a couple of other such streams in the logs now that I know
what I'm looking for.
I'm not quite sure to make of all of this. Perhaps there is a trojan
out on the 'net, and perhaps the addresses and ports it uses are
somehow calculated rather than being registered with some central site?
Something along the lines of "I don't know if there is a compromised
host in that /24, but if there is then it'd be at this address
[a function of the net number], and this particular port [a function
of the host address]" ?? That is, instead of going for large numbers
of compromised systems, try targetting a small number of pseudo-random
systems with differing ports, and go for stealth?
Interesting -- I just got a burst over a few minutes that included
all the destinations that it seems to be happening for (that I've noticed):
Jul 20 20:21:44 Deny tcp [141.224.6.68]:1818 -> host9:32224
Jul 20 20:22:55 Deny tcp [174.201.65.6]:60479 -> host3:24992
Jul 20 20:25:14 Deny tcp [103.209.237.68]:37605 -> host0:2425
Jul 20 20:25:15 Deny tcp [141.224.6.68]:1818 -> host9:32224
Jul 20 20:25:16 Deny tcp [85.118.99.94]:56562 -> host8:35755
Jul 20 20:26:44 Deny tcp [102.54.8.224]:57299 -> host5:58222
Jul 20 20:27:34 Deny tcp [199.22.87.21]:37380 -> host1:20989
Jul 20 20:28:16 Deny tcp [37.189.122.55]:20194 -> host2:11300
-- vi -- think of it as practice for the ROGUE Olympics!
- Next message: Frank Z: "Am I more vulnerable using broadband?"
- Previous message: Walter Roberson: "Re: tcp port 24992?"
- In reply to: Walter Roberson: "Re: tcp port 24992?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
