Correlated Scans to Ports 27374 and 1243 (SubSeven)

["Stephen P. Berry" <spb () MESHUGGENEH NET>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


For the past week or so, I've been observing what appears to be a
new scan pattern.  Short summary:

        -A scan through an address range against port 27374
        -A scan through the same address range against port 1234
        -The second scan starts within a couple seconds of the end of
         the first scan
        -Scans originate from different networks

Here's some sample traffic.  In this example, both scans apparently
originate from ISPs.  Of course the interesting thing isn't that
there were two scans from addresses owned by ISPs---that's hardly
a record.  The interesting thing is that the two scan originate from
different networks and appear to be coordinated.

First, the head of the 27374 scan (first three octets of the destination
addresses have been set to decimal 1.1.1):

19:14:03.791266 65.0.206.156.1091 > 1.1.1.2.27374: S 76973631:76973631(0) win 81
92 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 388c 4000 7306 60d9 4100 ce9c      E..08.@.s.`.A...
        0101 0102 0443 6aee 0496 863f 0000 0000      .....Cj....?....
        7002 2000 fab5 0000 0204 05b4 0101 0402      p. .............
19:14:03.799016 65.0.206.156.1092 > 1.1.1.3.27374: S 76973634:76973634(0) win 81
92 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 398c 4000 7306 5fd8 4100 ce9c      E..09.@.s._.A...
        0101 0103 0444 6aee 0496 8642 0000 0000      .....Dj....B....
        7002 2000 fab0 0000 0204 05b4 0101 0402      p. .............
19:14:03.803886 65.0.206.156.1093 > 1.1.1.4.27374: S 76973638:76973638(0) win 81
92 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 3a8c 4000 7306 5ed7 4100 ce9c      E..0:.@.s.^.A...
        0101 0104 0445 6aee 0496 8646 0000 0000      .....Ej....F....
        7002 2000 faaa 0000 0204 05b4 0101 0402      p. .............

...and so on through the rest of the 24 bit network, ending with:

19:14:07.965209 65.0.206.156.1344 > 1.1.1.254.27374: S 76977802:76977802(0) win
8192 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 368d 4000 7306 61dc 4100 ce9c      E..06.@.s.a.A...
        0101 01fe 0540 6aee 0496 968a 0000 0000      .....@j.........
        7002 2000 e871 0000 0204 05b4 0101 0402      p. ..q..........

A couple seconds later comes the 1243 scan:

19:14:12.127617 63.193.122.218.1489 > 1.1.1.2.1243: S 197216684:197216684(0) win
 8192 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 ee80 4000 7a06 f8e5 3fc1 7ada      E..0..@.z...?.z.
        0101 0102 05d1 04db 0bc1 49ac 0000 0000      ..........I.....
        7002 2000 e9a4 0000 0204 05b4 0101 0402      p. .............
19:14:12.134223 63.193.122.218.1490 > 1.1.1.3.1243: S 197216685:197216685(0) win
 8192 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 ef80 4000 7a06 f7e4 3fc1 7ada      E..0..@.z...?.z.
        0101 0103 05d2 04db 0bc1 49ad 0000 0000      ..........I.....
        7002 2000 e9a1 0000 0204 05b4 0101 0402      p. .............
19:14:12.140830 63.193.122.218.1491 > 1.1.1.4.1243: S 197216686:197216686(0) win
 8192 <mss 1460,nop,nop,sackOK> (DF)
        4500 0030 f080 4000 7a06 f6e3 3fc1 7ada      E..0..@.z...?.z.
        0101 0104 05d3 04db 0bc1 49ae 0000 0000      ..........I.....
        7002 2000 e99e 0000 0204 05b4 0101 0402      p. .............

...and so on.

All in all, nothing too exciting in and of itself.  The scans by themselves
are about as routine as it gets, but the apparent coordination is
interesting.  I've been seeing this about once every 18 hours or so
(with different source addresses every time) over the past week.

I'm curious if anyone else is seeing the same sort of thing, and if
so if anyone knows what tool is being used.






- -Steve

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6Zz8rG3kIaxeRZl8RAinmAKC8LUaKxlsp6KLz5bUu8ZxwFHK4dgCeOtfR
C9hR6daExdj9QIOTmr12aNE=
=M+3U
-----END PGP SIGNATURE-----