Security Incidents mailing list archives
P2P applications scanning? Trojan? Malicious users?
From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 07 Oct 2003 14:10:25 -0400
During the outbreak of Blaster/Nachi/Welchia, we installed a tarpit on the dorm network to catch the scans that each performed. It was relatively effective, especially after we automated anaysis of the logs and programmatically switched off infected ports.
However, as a side effect of the tarpit, now that things are settling down, is that I am seeing very peculiar scans being performed by other systems in the dorms. I have seen scans on obvious P2P ports (tcp/1214 for example) but some equally strange scans that I have been unable to pinpoint or google a clue. Many of these go trapped for days (or weeks). They are not full-subnet scans (well, possibly a class C) and they tend to grow over time.
Does anyone know of P2P, or P2P helper applications that perform this type of scan? We are a bit hesitant to shut them down without some clue as to what they are doing, and if it is intentional or some new application that is "working as designed".
Some of the ports currently being scanned now (all TCP, the tarpit doesn't catch UDP, generally speaking):
1064 1354 1416 2138 2141 2414 2622 2657 3111 3174 3947 1658Some of these have hundreds of threads captured dating back a week (and growing slowly but daily).
Jeff Kell Network Services/ISO University of Tennessee at Chattanooga --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- P2P applications scanning? Trojan? Malicious users? Jeff Kell (Oct 08)
- RE: P2P applications scanning? Trojan? Malicious users? Alessandro Volpi (Oct 08)