P2P applications scanning? Trojan? Malicious users?

[Jeff Kell <jeff-kell () utc edu>]

During the outbreak of Blaster/Nachi/Welchia, we installed a tarpit on 
the dorm network to catch the scans that each performed.  It was 
relatively effective, especially after we automated anaysis of the logs 
and programmatically switched off infected ports.

However, as a side effect of the tarpit, now that things are settling 
down, is that I am seeing very peculiar scans being performed by other 
systems in the dorms.  I have seen scans on obvious P2P ports (tcp/1214 
for example) but some equally strange scans that I have been unable to 
pinpoint or google a clue.  Many of these go trapped for days (or 
weeks).  They are not full-subnet scans (well, possibly a class C) and 
they tend to grow over time.

Does anyone know of P2P, or P2P helper applications that perform this 
type of scan?  We are a bit hesitant to shut them down without some clue 
as to what they are doing, and if it is intentional or some new 
application that is "working as designed".

Some of the ports currently being scanned now (all TCP, the tarpit 
doesn't catch UDP, generally speaking):

1064
1354
1416
2138
2141
2414
2622
2657
3111
3174
3947
1658

Some of these have hundreds of threads captured dating back a week (and 
growing slowly but daily).

Jeff Kell
Network Services/ISO
University of Tennessee at Chattanooga





---------------------------------------------------------------------------
----------------------------------------------------------------------------