Security Incidents mailing list archives
RE: Strange connection attempts
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Tue, 8 Jan 2002 08:35:48 -0500
Andrea, After a cursory overview, my first guess would be that someone is using a tool like nmap to poke around for a hole on port 36 using multiple "decoy" IP addresses (the "-D" option). The packets are too infrequent to argue for a DDoS. However we'll notice that the source port is always port 137, which would also make me suspect a coordinated probe from bots. I would think nmap from a single machine would generate packets with at least somewhat varying source ports.
From http://www.iana.org/assignments/port-numbers:
# 36/tcp Unassigned # 36/udp Unassigned time 37/tcp Time time 37/udp Time # 40/tcp Unassigned # 40/udp Unassigned ... no standard uses for 36 (most frequently scanned) and 40. I wonder if this d00d is looking for more bots configured to listen on one of those 3 ports. An (admittedly brief) google search doesn't show much for these ports. Anyone have more info. on these (that may know more about bots than I)? You may want to do a ping sweep and nslookup on the source IP's to see if they're legit. Some things to think about: Is the host alive? Does its reverse DNS resolve to some sort of modem pool (to indicate a home user)? Another thing you may want to do, if you find that one (or more) of the source IP's are legit and alive (and I know this flirts with the grey area of the law): do a portscan to see if any of the people who scanned YOU are listening on those three ports (keep in mind TCP/37 is UTP and may be a genuine service). One thing I can't explain is why you're getting hit so many times at your router (one IP) for these ports. It's not like by knocking harder the hax0r is going to convince you to open up the firewall door... perhaps repeated sweeps of the subnet that my.border.router.ip resides in? Just some thoughts... please feel free to correct me if I'm totally off-base with anything (I'm sure I blew the call somewhere in here :-) ). Mike Cloppert Systems Analyst Fifth Third Bank 513 534 0898 michael.cloppert () 53 com
-----Original Message----- From: Andrea Efstathiou [mailto:aefstathiou () aeropia com] Sent: Monday, January 07, 2002 11:49 AM To: incidents () securityfocus com Subject: Strange connection attempts Hi All, I was wondering if anyone else was seeing, or has seen attempts like this before and/or could tell me what mite be causing them. Jan 2 13:42:13 my.domain.com41479: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.106.18.248(137) -> my.border.router.ip(36), 1 packet Jan 2 13:44:53 my.domain.com41482: %SEC-6-IPACCESSLOGP: list inbound denied udp 208.58.230.212(137) -> my.border.router.ip(36), 1 packet Jan 2 13:45:08 my.domain.com41484: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.116.251.123(137) -> my.border.router.ip(36), 1 packet Jan 2 13:46:47 my.domain.com41485: %SEC-6-IPACCESSLOGP: list inbound denied udp 195.176.180.174(137) -> my.border.router.ip(36), 1 packet Jan 2 13:46:58 my.domain.com41487: %SEC-6-IPACCESSLOGP: list inbound denied udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet Jan 2 13:47:58 my.domain.com41502: %SEC-6-IPACCESSLOGP: list inbound denied udp 141.217.10.169(137) -> my.border.router.ip(36), 1 packet Jan 2 13:48:56 my.domain.com41504: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.103.119.138(137) -> my.border.router.ip(36), 1 packet Jan 2 13:50:08 my.domain.com41506: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.56.168.38(137) -> my.border.router.ip(36), 1 packet Jan 2 13:51:52 my.domain.com41509: %SEC-6-IPACCESSLOGP: list inbound denied udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet Jan 2 13:52:14 my.domain.com41510: %SEC-6-IPACCESSLOGP: list inbound denied udp 204.210.232.253(137) -> my.border.router.ip(36), 1 packet Jan 2 13:56:01 my.domain.com41516: %SEC-6-IPACCESSLOGP: list inbound denied udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet Jan 2 13:56:39 my.domain.com41517: %SEC-6-IPACCESSLOGP: list inbound denied udp 209.107.57.252(137) -> my.border.router.ip(36), 1 packet Jan 2 13:56:56 my.domain.com41518: %SEC-6-IPACCESSLOGP: list inbound denied udp 216.191.217.66(137) -> my.border.router.ip(36), 2 packets Jan 2 13:57:56 my.domain.com41519: %SEC-6-IPACCESSLOGP: list inbound denied udp 204.210.232.253(137) -> my.border.router.ip(36), 2 packets Jan 2 14:00:58 my.domain.com41527: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet Jan 2 14:01:27 my.domain.com41528: %SEC-6-IPACCESSLOGP: list inbound denied udp 212.131.230.179(137) -> my.border.router.ip(36), 1 packet Jan 2 14:01:57 my.domain.com41529: %SEC-6-IPACCESSLOGP: list inbound denied udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet Jan 2 14:05:38 my.domain.com41534: %SEC-6-IPACCESSLOGP: list inbound denied udp 207.173.208.254(137) -> my.border.router.ip(36), 1 packet Jan 2 14:06:00 my.domain.com41536: %SEC-6-IPACCESSLOGP: list inbound denied udp 202.8.234.234(137) -> my.border.router.ip(36), 1 packet Jan 2 14:06:57 my.domain.com41539: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets Jan 2 14:07:39 my.domain.com41540: %SEC-6-IPACCESSLOGP: list inbound denied udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet Jan 2 14:09:25 my.domain.com41544: %SEC-6-IPACCESSLOGP: list inbound denied udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet Jan 2 14:13:53 my.domain.com41559: %SEC-6-IPACCESSLOGP: list inbound denied udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet Jan 2 14:17:19 my.domain.com41565: %SEC-6-IPACCESSLOGP: list inbound denied udp 66.168.212.107(137) -> my.border.router.ip(36), 1 packet Jan 2 14:19:50 my.domain.com41568: %SEC-6-IPACCESSLOGP: list inbound denied udp 207.40.241.184(137) -> my.border.router.ip(36), 1 packet Jan 2 14:20:59 my.domain.com41569: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.81.200.98(137) -> my.border.router.ip(36), 2 packets Jan 2 14:22:59 my.domain.com41573: %SEC-6-IPACCESSLOGP: list inbound denied udp 66.168.212.107(137) -> my.border.router.ip(36), 2 packets Jan 2 14:23:59 my.domain.com41576: %SEC-6-IPACCESSLOGP: list inbound denied udp 203.247.220.183(137) -> my.border.router.ip(36), 3 packets Jan 2 14:24:29 my.domain.com41578: %SEC-6-IPACCESSLOGP: list inbound denied udp 158.194.80.59(137) -> my.border.router.ip(36), 1 packet Jan 2 14:24:59 my.domain.com41579: %SEC-6-IPACCESSLOGP: list inbound denied udp 207.40.241.184(137) -> my.border.router.ip(36), 2 packets Jan 2 14:25:59 my.domain.com41581: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.95.243.199(137) -> my.border.router.ip(36), 1 packet Jan 2 14:27:28 my.domain.com41585: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.204.206.98(137) -> my.border.router.ip(36), 1 packet Jan 2 14:27:48 my.domain.com41586: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.197.234.119(137) -> my.border.router.ip(36), 1 packet Jan 2 14:30:00 my.domain.com41589: %SEC-6-IPACCESSLOGP: list inbound denied udp 158.194.80.59(137) -> my.border.router.ip(36), 2 packets Jan 2 14:30:54 my.domain.com41592: %SEC-6-IPACCESSLOGP: list inbound denied udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet Jan 2 14:32:02 my.domain.com41596: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.159.100.37(137) -> my.border.router.ip(36), 1 packet Jan 2 14:33:00 my.domain.com41599: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.197.234.119(137) -> my.border.router.ip(36), 2 packets Jan 2 14:34:38 my.domain.com41600: %SEC-6-IPACCESSLOGP: list inbound denied udp 213.221.145.131(137) -> my.border.router.ip(36), 1 packet Jan 2 14:36:00 my.domain.com41602: %SEC-6-IPACCESSLOGP: list inbound denied udp 144.92.175.159(137) -> my.border.router.ip(36), 1 packet Jan 2 14:40:01 my.domain.com41610: %SEC-6-IPACCESSLOGP: list inbound denied udp 213.221.145.131(137) -> my.border.router.ip(36), 2 packets Jan 2 14:40:56 my.domain.com41612: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet Jan 2 14:41:02 my.domain.com41614: %SEC-6-IPACCESSLOGP: list inbound denied udp 128.163.94.92(137) -> my.border.router.ip(36), 1 packet Jan 2 14:41:35 my.domain.com41615: %SEC-6-IPACCESSLOGP: list inbound denied udp 168.131.57.87(137) -> my.border.router.ip(36), 1 packet Jan 2 14:41:53 my.domain.com41616: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.83.39.140(137) -> my.border.router.ip(36), 1 packet Jan 2 14:42:23 my.domain.com41618: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.149.128.36(137) -> my.border.router.ip(36), 1 packet Jan 2 14:44:21 my.domain.com41623: %SEC-6-IPACCESSLOGP: list inbound denied udp 213.45.107.130(137) -> my.border.router.ip(36), 1 packet Jan 2 14:46:01 my.domain.com41627: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets Jan 2 14:47:01 my.domain.com41629: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.83.39.140(137) -> my.border.router.ip(36), 2 packets Jan 2 14:50:11 my.domain.com41632: %SEC-6-IPACCESSLOGP: list inbound denied udp 142.103.165.51(137) -> my.border.router.ip(36), 1 packet Jan 2 14:51:03 my.domain.com41637: %SEC-6-IPACCESSLOGP: list inbound denied udp 208.20.105.233(137) -> my.border.router.ip(36), 1 packet Jan 2 14:51:40 my.domain.com41638: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.33.170.194(137) -> my.border.router.ip(36), 1 packet Jan 2 14:54:02 my.domain.com41642: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.149.128.36(137) -> my.border.router.ip(36), 2 packets Jan 2 14:54:57 my.domain.com41644: %SEC-6-IPACCESSLOGP: list inbound denied udp 211.171.214.131(137) -> my.border.router.ip(36), 1 packet Jan 2 14:55:18 my.domain.com41646: %SEC-6-IPACCESSLOGP: list inbound denied udp 212.125.225.165(137) -> my.border.router.ip(36), 1 packet Jan 2 14:55:47 my.domain.com41647: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.198.44.4(137) -> my.border.router.ip(36), 1 packet Jan 2 14:57:03 my.domain.com41652: %SEC-6-IPACCESSLOGP: list inbound denied udp 208.20.105.233(137) -> my.border.router.ip(36), 2 packets Jan 2 14:58:56 my.domain.com41654: %SEC-6-IPACCESSLOGP: list inbound denied udp 202.180.172.8(137) -> my.border.router.ip(36), 1 packet Jan 2 15:00:03 my.domain.com41659: %SEC-6-IPACCESSLOGP: list inbound denied udp 211.171.214.131(137) -> my.border.router.ip(36), 2 packets Jan 2 15:01:48 my.domain.com41663: %SEC-6-IPACCESSLOGP: list inbound denied udp 211.219.43.175(137) -> my.border.router.ip(36), 1 packet Jan 2 15:04:03 my.domain.com41667: %SEC-6-IPACCESSLOGP: list inbound denied udp 202.180.172.8(137) -> my.border.router.ip(36), 2 packets Jan 2 15:07:04 my.domain.com41672: %SEC-6-IPACCESSLOGP: list inbound denied udp 211.219.43.175(137) -> my.border.router.ip(36), 2 packets Jan 3 09:04:37 my.domain.com41870: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.196.28.67(137) -> my.border.router.ip(37), 1 packet Jan 3 09:05:48 my.domain.com41871: %SEC-6-IPACCESSLOGP: list inbound denied udp 209.91.178.156(137) -> my.border.router.ip(37), 1 packet Jan 3 09:07:04 my.domain.com41873: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.207.157.172(137) -> my.border.router.ip(37), 1 packet Jan 3 09:09:43 my.domain.com41875: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.212.205.68(137) -> my.border.router.ip(37), 1 packet Jan 3 09:10:11 my.domain.com41876: %SEC-6-IPACCESSLOGP: list inbound denied udp 208.63.88.86(137) -> my.border.router.ip(37), 1 packet Jan 3 09:10:28 my.domain.com41877: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.196.28.67(137) -> my.border.router.ip(37), 2 packets Jan 3 09:10:45 my.domain.com41878: %SEC-6-IPACCESSLOGP: list inbound denied udp 144.92.175.27(137) -> my.border.router.ip(37), 1 packet Jan 3 09:12:04 my.domain.com41880: %SEC-6-IPACCESSLOGP: list inbound denied udp 156.3.31.177(137) -> my.border.router.ip(37), 1 packet Jan 3 09:12:13 my.domain.com41881: %SEC-6-IPACCESSLOGP: list inbound denied udp 4.3.205.254(137) -> my.border.router.ip(37), 1 packet Jan 3 09:12:29 my.domain.com41882: %SEC-6-IPACCESSLOGP: list inbound denied udp 24.207.157.172(137) -> my.border.router.ip(37), 2 packets Jan 3 09:12:33 my.domain.com41883: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.107.131.247(137) -> my.border.router.ip(37), 1 packet Jan 3 09:15:29 my.domain.com41885: %SEC-6-IPACCESSLOGP: list inbound denied udp 208.63.88.86(137) -> my.border.router.ip(37), 2 packets Jan 3 09:16:29 my.domain.com41886: %SEC-6-IPACCESSLOGP: list inbound denied udp 144.92.175.27(137) -> my.border.router.ip(37), 2 packets Jan 3 09:17:29 my.domain.com41887: %SEC-6-IPACCESSLOGP: list inbound denied udp 156.3.31.177(137) -> my.border.router.ip(37), 2 packets Jan 3 09:18:29 my.domain.com41888: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.107.131.247(137) -> my.border.router.ip(37), 2 packets Jan 4 17:42:43 my.domain.com42179: %SEC-6-IPACCESSLOGP: list inbound denied udp 208.63.124.173(137) -> my.border.router.ip(40), 1 packet Jan 4 17:43:33 my.domain.com42181: %SEC-6-IPACCESSLOGP: list inbound denied udp 206.142.24.160(137) -> my.border.router.ip(40), 1 packet Jan 4 17:44:12 my.domain.com42183: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet Jan 4 17:44:33 my.domain.com42184: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet Jan 4 17:44:44 my.domain.com42185: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.116.246.179(137) -> my.border.router.ip(40), 1 packet Jan 4 17:45:51 my.domain.com42187: %SEC-6-IPACCESSLOGP: list inbound denied udp 209.251.16.2(137) -> my.border.router.ip(40), 1 packet Jan 4 17:46:45 my.domain.com42188: %SEC-6-IPACCESSLOGP: list inbound denied udp 206.69.196.90(137) -> my.border.router.ip(40), 1 packet Jan 4 17:47:04 my.domain.com42189: %SEC-6-IPACCESSLOGP: list inbound denied udp 62.142.203.158(137) -> my.border.router.ip(40), 1 packet Jan 4 17:47:33 my.domain.com42190: %SEC-6-IPACCESSLOGP: list inbound denied udp 66.169.232.55(137) -> my.border.router.ip(40), 1 packet Jan 4 17:49:51 my.domain.com42193: %SEC-6-IPACCESSLOGP: list inbound denied udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet Jan 4 17:50:51 my.domain.com42194: %SEC-6-IPACCESSLOGP: list inbound denied udp 209.251.16.2(137) -> my.border.router.ip(40), 2 packets Jan 4 17:51:21 my.domain.com42195: %SEC-6-IPACCESSLOGP: list inbound denied udp 134.102.68.26(137) -> my.border.router.ip(40), 1 packet Jan 4 17:52:30 my.domain.com42196: %SEC-6-IPACCESSLOGP: list inbound denied udp 130.184.111.212(137) -> my.border.router.ip(40), 1 packet Jan 4 17:52:51 my.domain.com42197: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet Jan 4 17:53:22 my.domain.com42198: %SEC-6-IPACCESSLOGP: list inbound denied udp 137.204.133.109(137) -> my.border.router.ip(40), 1 packet Jan 4 17:54:51 my.domain.com42200: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.116.246.179(137) -> my.border.router.ip(40), 3 packets Jan 4 17:56:24 my.domain.com42201: %SEC-6-IPACCESSLOGP: list inbound denied udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet Jan 4 17:56:28 my.domain.com42202: %SEC-6-IPACCESSLOGP: list inbound denied udp 80.116.86.119(137) -> my.border.router.ip(40), 1 packet Jan 4 17:56:52 my.domain.com42204: %SEC-6-IPACCESSLOGP: list inbound denied udp 134.102.68.26(137) -> my.border.router.ip(40), 2 packets Jan 4 17:57:52 my.domain.com42205: %SEC-6-IPACCESSLOGP: list inbound denied udp 130.184.111.212(137) -> my.border.router.ip(40), 2 packets Jan 4 17:58:52 my.domain.com42206: %SEC-6-IPACCESSLOGP: list inbound denied udp 137.204.133.109(137) -> my.border.router.ip(40), 2 packets Jan 4 18:01:52 my.domain.com42209: %SEC-6-IPACCESSLOGP: list inbound denied udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet Regards, Andrea Efstathiou -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange connection attempts Andrea Efstathiou (Jan 07)
- <Possible follow-ups>
- RE: Strange connection attempts Cloppert, Michael (Jan 08)