sync'd TCP 1023, 5554, and 9898 scanning from Asia Pacific

[Doug Pearson <dodpears () INDIANA EDU>]

I have a report from the commericial sector of synchronized scanning against TCP 1023, 5554, and 9898 from a fixed 
number of machines in China, Korea, and Japan. The machines scan all three ports, and do so every morning for ~10 
minutes. The scanning has been occuring for ~6 weeks.

Daily at 0430 GMT, 36 unique sources mainly from Korea then China and Japan, from 211/8, 218/8, 219/8, 220/8, 221/8, 
222/8 and 61/8 and one address from 60/8 - 60.34.201.132. At 0530 GMT, 38 unique sources mainly from China, 202/8, 
211/8, 218/8, 219/8, 220/8, 221/8, 222/8 and 61/8.

We're running an Abilene netflow analysis to see if there's similar activity on Abilene. More details on that soon.

Graphs of the aggregate Abilene netflow for the affected ports are attached.

A list of suspects by /32 (from my commercial sector source) is attached. US-based universities as sources have been 
redacted from the list and are being contacted individually by the REN-ISAC.

The ports are associated with the Sasser and Dabber worms[1].


Regards,

Doug Pearson
dodpears () indiana edu
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac () iu edu




[1] TCP 1023, 5554, 9898 exploits:

TCP 1023 - Sasser.E: FTP
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.e.worm.html

TCP 5554 - Dabber, Sasser A - D, F: FTP
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

TCP 9898 - MonkeyCom, Dabber Backdoor
http://www.lurhq.com/dabber.html
http://isc.sans.org/trends.php
http://www.dshield.org/topports.php

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: syncd_redacted.txt
Description: