Educause Security Discussion mailing list archives
Re: sync'd TCP 1023, 5554, and 9898 scanning from Asia Pacific
From: Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>
Date: Thu, 19 Aug 2004 10:55:26 -0500
True, but most of the scanning is targeted at Asian Addresses. It is the only area where this activity is really noticeable (in general terms) See: http://isc.incidents.org/large_map.php?isc=12 http://www.dshield.org/dshieldmovie.php Regards, Omar Herrera
-----Mensaje original----- De: Doug Pearson [mailto:dodpears () INDIANA EDU] Enviado el: Jueves, 19 de Agosto de 2004 09:57 AM Para: SECURITY () LISTSERV EDUCAUSE EDU Asunto: [SECURITY] sync'd TCP 1023, 5554, and 9898 scanning from Asia
Pacific
I have a report from the commericial sector of synchronized scanning
against
TCP 1023, 5554, and 9898 from a fixed number of machines in China,
Korea, and
Japan. The machines scan all three ports, and do so every morning for
~10
minutes. The scanning has been occuring for ~6 weeks. Daily at 0430 GMT, 36 unique sources mainly from Korea then China and
Japan,
from 211/8, 218/8, 219/8, 220/8, 221/8, 222/8 and 61/8 and one address
from
60/8 - 60.34.201.132. At 0530 GMT, 38 unique sources mainly from
China,
202/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8 and 61/8. We're running an Abilene netflow analysis to see if there's similar
activity
on Abilene. More details on that soon. Graphs of the aggregate Abilene netflow for the affected ports are
attached.
A list of suspects by /32 (from my commercial sector source) is
attached. US-
based universities as sources have been redacted from the list and are
being
contacted individually by the REN-ISAC. The ports are associated with the Sasser and Dabber worms[1]. Regards, Doug Pearson dodpears () indiana edu Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630, ren-isac () iu edu [1] TCP 1023, 5554, 9898 exploits: TCP 1023 - Sasser.E: FTP
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.e.wor m.htm
l TCP 5554 - Dabber, Sasser A - D, F: FTP
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm. html
TCP 9898 - MonkeyCom, Dabber Backdoor http://www.lurhq.com/dabber.html http://isc.sans.org/trends.php http://www.dshield.org/topports.php ********** Participation and subscription information for this EDUCAUSE
Discussion Group
discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- sync'd TCP 1023, 5554, and 9898 scanning from Asia Pacific Doug Pearson (Aug 19)
- <Possible follow-ups>
- Re: sync'd TCP 1023, 5554, and 9898 scanning from Asia Pacific Herrera Reyna Omar (Aug 19)