Security Incidents mailing list archives
Correlated Scans to Ports 27374 and 1243 (SubSeven)
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Thu, 18 Jan 2001 11:12:18 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For the past week or so, I've been observing what appears to be a new scan pattern. Short summary: -A scan through an address range against port 27374 -A scan through the same address range against port 1234 -The second scan starts within a couple seconds of the end of the first scan -Scans originate from different networks Here's some sample traffic. In this example, both scans apparently originate from ISPs. Of course the interesting thing isn't that there were two scans from addresses owned by ISPs---that's hardly a record. The interesting thing is that the two scan originate from different networks and appear to be coordinated. First, the head of the 27374 scan (first three octets of the destination addresses have been set to decimal 1.1.1): 19:14:03.791266 65.0.206.156.1091 > 1.1.1.2.27374: S 76973631:76973631(0) win 81 92 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 388c 4000 7306 60d9 4100 ce9c E..08.@.s.`.A... 0101 0102 0443 6aee 0496 863f 0000 0000 .....Cj....?.... 7002 2000 fab5 0000 0204 05b4 0101 0402 p. ............. 19:14:03.799016 65.0.206.156.1092 > 1.1.1.3.27374: S 76973634:76973634(0) win 81 92 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 398c 4000 7306 5fd8 4100 ce9c E..09.@.s._.A... 0101 0103 0444 6aee 0496 8642 0000 0000 .....Dj....B.... 7002 2000 fab0 0000 0204 05b4 0101 0402 p. ............. 19:14:03.803886 65.0.206.156.1093 > 1.1.1.4.27374: S 76973638:76973638(0) win 81 92 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 3a8c 4000 7306 5ed7 4100 ce9c E..0:.@.s.^.A... 0101 0104 0445 6aee 0496 8646 0000 0000 .....Ej....F.... 7002 2000 faaa 0000 0204 05b4 0101 0402 p. ............. ...and so on through the rest of the 24 bit network, ending with: 19:14:07.965209 65.0.206.156.1344 > 1.1.1.254.27374: S 76977802:76977802(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 368d 4000 7306 61dc 4100 ce9c E..06.@.s.a.A... 0101 01fe 0540 6aee 0496 968a 0000 0000 .....@j......... 7002 2000 e871 0000 0204 05b4 0101 0402 p. ..q.......... A couple seconds later comes the 1243 scan: 19:14:12.127617 63.193.122.218.1489 > 1.1.1.2.1243: S 197216684:197216684(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 ee80 4000 7a06 f8e5 3fc1 7ada E..0..@.z...?.z. 0101 0102 05d1 04db 0bc1 49ac 0000 0000 ..........I..... 7002 2000 e9a4 0000 0204 05b4 0101 0402 p. ............. 19:14:12.134223 63.193.122.218.1490 > 1.1.1.3.1243: S 197216685:197216685(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 ef80 4000 7a06 f7e4 3fc1 7ada E..0..@.z...?.z. 0101 0103 05d2 04db 0bc1 49ad 0000 0000 ..........I..... 7002 2000 e9a1 0000 0204 05b4 0101 0402 p. ............. 19:14:12.140830 63.193.122.218.1491 > 1.1.1.4.1243: S 197216686:197216686(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) 4500 0030 f080 4000 7a06 f6e3 3fc1 7ada E..0..@.z...?.z. 0101 0104 05d3 04db 0bc1 49ae 0000 0000 ..........I..... 7002 2000 e99e 0000 0204 05b4 0101 0402 p. ............. ...and so on. All in all, nothing too exciting in and of itself. The scans by themselves are about as routine as it gets, but the apparent coordination is interesting. I've been seeing this about once every 18 hours or so (with different source addresses every time) over the past week. I'm curious if anyone else is seeing the same sort of thing, and if so if anyone knows what tool is being used. - -Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6Zz8rG3kIaxeRZl8RAinmAKC8LUaKxlsp6KLz5bUu8ZxwFHK4dgCeOtfR C9hR6daExdj9QIOTmr12aNE= =M+3U -----END PGP SIGNATURE-----
Current thread:
- Correlated Scans to Ports 27374 and 1243 (SubSeven) Stephen P. Berry (Jan 18)
- Re: Correlated Scans to Ports 27374 and 1243 (SubSeven) Daniel Martin (Jan 18)
- Re: Correlated Scans to Ports 27374 and 1243 (SubSeven) Ryan Sweat (Jan 19)
- Re: Correlated Scans to Ports 27374 and 1243 (SubSeven) Daniel Martin (Jan 18)