Re: Strange distributed scan/probe activity

[Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>]

I recently noticed some strange activity in the syslog of 
one of my
servers. Starting at about 3:50 AM local time, I saw a 
series of
connections from various points outside my network. The 
source machine
would make two connections to the FTP port, two to the POP 
port, and,
most of the time, two to the SMTP port. A few minutes 
later, the pattern
would repeat, this time from a different machine.

Judging by the slow connection rate, this is not a DDOS 
attempt. I'm
assuming the choice of using many source machines was made 
to elude IDS
systems.

Has anyone seen anything similar? I've seen info on DDOS, 
but nothing on
a concentrated distributed scan like this.

Following is a snippet of the relevant entries from the 
syslog
(hostnames and IP addresses sanitized). The original source 
addresses
had various origins. A bunch appeared to originate in 
Texas, a few from
Canada.

--Rich

Jul 11 03:51:45 myserver in.ftpd[15154]: connect from 
SOURCE1
Jul 11 03:51:45 myserver in.ftpd[15155]: connect from 
SOURCE1
Jul 11 03:51:46 myserver in.qpopper[15156]: connect from 
SOURCE1
Jul 11 03:51:46 myserver in.qpopper[15156]: @SOURCE1: -ERR 
POP EOF
received
Jul 11 03:51:46 myserver in.qpopper[15157]: connect from 
SOURCE1
Jul 11 03:51:46 myserver in.qpopper[15157]: @SOURCE1: -ERR 
POP EOF
received


Jul 11 03:55:41 myserver in.ftpd[15166]: connect from 
SOURCE2
Jul 11 03:55:41 myserver in.ftpd[15167]: connect from 
SOURCE2
Jul 11 03:55:41 myserver in.qpopper[15168]: connect from 
SOURCE2
Jul 11 03:55:41 myserver in.qpopper[15168]: @SOURCE2: -ERR 
POP EOF
received
Jul 11 03:55:41 myserver in.qpopper[15169]: connect from 
SOURCE2
Jul 11 03:55:41 myserver in.qpopper[15169]: @SOURCE2: -ERR 
POP EOF
received

Jul 11 03:58:20 myserver in.ftpd[15174]: connect from 
SOURCE3
Jul 11 03:58:20 myserver in.ftpd[15175]: connect from 
SOURCE3
Jul 11 03:58:20 myserver in.qpopper[15176]: connect from 
SOURCE3
Jul 11 03:58:20 myserver in.qpopper[15176]: @SOURCE3: -ERR 
POP EOF
received
Jul 11 03:58:20 myserver in.qpopper[15177]: connect from 
SOURCE3
Jul 11 03:58:20 myserver in.qpopper[15177]: @SOURCE3: -ERR 
POP EOF
received

Jul 11 04:01:07 myserver in.ftpd[15187]: connect from 
SOURCE4
Jul 11 04:01:07 myserver in.ftpd[15188]: connect from 
SOURCE4
Jul 11 04:01:07 myserver in.qpopper[15189]: connect from 
SOURCE4
Jul 11 04:01:07 myserver in.qpopper[15189]: @SOURCE4: -ERR 
POP EOF
received
Jul 11 04:01:08 myserver in.qpopper[15190]: connect from 
SOURCE4
Jul 11 04:01:08 myserver in.qpopper[15190]: @SOURCE4: -ERR 
POP EOF
received

Jul 11 04:01:35 myserver in.qpopper[15191]: connect from 
xxx.yyy.zzz.48
Jul 11 04:01:35 myserver in.qpopper[15191]: (v2.3) Unable 
to get
canonical name of client, err = 2


Jul 11 04:03:52 myserver in.ftpd[15195]: connect from 
SOURCE5
Jul 11 04:03:52 myserver in.ftpd[15196]: connect from 
SOURCE5
Jul 11 04:03:52 myserver in.qpopper[15197]: connect from 
SOURCE5
Jul 11 04:03:52 myserver in.qpopper[15197]: @SOURCE5: -ERR 
POP EOF
received
Jul 11 04:03:53 myserver in.qpopper[15198]: connect from 
SOURCE5
Jul 11 04:03:53 myserver in.qpopper[15198]: @SOURCE5: -ERR 
POP EOF
received
Jul 11 04:03:54 myserver sendmail[15199]: NOQUEUE: Null 
connection from
SOURCE5 [www.xxx.yyy.zzz]
Jul 11 04:03:54 myserver sendmail[15200]: NOQUEUE: Null 
connection from
SOURCE5 [www.xxx.yyy.zzz]


--
__________________________________________________________

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: <A 
HREF="mailto:rpuhek () etnsystems com">rpuhek () etnsystems com</A
>
_________________________________________________________


Hi!
Well, phrack released a article about "coding distributed 
port scanning tools". Source code was part of the article 
and I assume they are using that version. There haven't 
been any released applications like this, however, that 
phrack article is the only application/article I've seen 
about such portscans. One article about the subject is at : 
http://phrack.infonexus.com/search.phtml?view&article=p55-
9. The application is at : 
http://phrack.infonexus.com/search.phtml?view&article=p56-
12. Atleast that's what I think ;). Enjoy!

/ Fredrik.