Security Incidents mailing list archives

slow scans for tcp port 524 and 137

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 25 Oct 2000 13:12:56 +1300
Over the last week or so I have picked up three machines probing for
udp 137 and tcp 524.  Probes appear to be to random address in our
address space (some are in use, many not) and occur at random time
intervals, mean around an hour but with some long intervals suggesting
that the machine was powered off.

All machines are in 130.0.0.0/8 as are we.  I'm guessing that this is
a trojan that is scanning its own /8 with random probes.  Perhaps the
same as was reported:

< http://www.securityfocus.com/archive/75/61101 >

Anyway it seems to be getting more prevalent.

I have not yet reported these to the owners so I'll obscure the source
address to protect the guilty until I have contacted them.

[130.xx.93.46] -- hosts 15, times 21, frags 0
        file: data/2000.10.24/argus-2000.10.24.19.00.gz
                130.216.92.204. 524
        file: data/2000.10.24/argus-2000.10.24.18.00.gz
                130.216.92.204. 524
        file: data/2000.10.24/argus-2000.10.24.16.00.gz
                130.216.216.44. 524
                130.216.217.118. 524
        file: data/2000.10.24/argus-2000.10.24.15.00.gz
                130.216.216.44. 524
        file: data/2000.10.24/argus-2000.10.24.13.00.gz
                130.216.37.229. 524
        file: data/2000.10.24/argus-2000.10.24.12.00.gz
                130.216.37.229. 524
        file: data/2000.10.24/argus-2000.10.24.03.00.gz
                130.216.131.62. 524
        file: data/2000.10.23/argus-2000.10.23.22.00.gz
                130.216.16.95. 524
        file: data/2000.10.23/argus-2000.10.23.21.00.gz
                130.216.16.95. 524
        file: data/2000.10.20/argus-2000.10.20.02.00.gz

    Start_Time      Type       SrcAddr   Port  Dir         DstAddr   Port  SrcPkt   Dstpkt    SrcBytes     DstBytes    
Status
24 Oct 00 19:26:37   tcp    130.xx.93.46.4495   o>    130.216.92.204.524   3        0         198          0           S
24 Oct 00 19:26:27  icmp 130.216.191.119        ->      130.xx.93.46       9        0         1206         0           
URH
24 Oct 00 19:26:24   udp    130.xx.93.46.137    ->    130.216.92.204.137   6        0         576          0           
TIM

Note the "S" 'Status' on the tcp record this indicates packet had SYN
flag set.  This one seems to repobe the last address systematically,
the others don't.

 [130.yyy.114.167] -- hosts 11, times 10, frags 0
        file: data/2000.10.24/argus-2000.10.24.06.00.gz
                130.216.185.105. 524
                130.216.230.199. 524
        file: data/2000.10.24/argus-2000.10.24.02.00.gz
                130.216.149.63. 524
        file: data/2000.10.21/argus-2000.10.21.01.00.gz
                130.216.96.172. 524
        file: data/2000.10.20/argus-2000.10.20.04.00.gz
                130.216.132.185. 524
        file: data/2000.10.18/argus-2000.10.18.09.00.gz
                130.216.55.228. 524
        file: data/2000.10.18/argus-2000.10.18.05.00.gz
                130.216.186.163. 524
        file: data/2000.10.18/argus-2000.10.18.02.00.gz
                130.216.209.106. 524
        file: data/2000.10.18/argus-2000.10.18.01.00.gz
                130.216.162.67. 524
        file: data/2000.10.17/argus-2000.10.17.07.00.gz
                130.216.119.124. 524
        file: data/2000.10.17/argus-2000.10.17.04.00.gz
                130.216.87.10. 524

24 Oct 00 06:20:05   tcp 130.yyy.114.167.1228   o>   130.216.185.105.524   3        0         198          0
24 Oct 00 06:20:14   udp 130.yyy.114.167.137    ->   130.216.185.105.137   6        0         576          0           
TIM
24 Oct 00 06:38:04   tcp 130.yyy.114.167.1493   o>   130.216.230.199.524   3        0         198          0
24 Oct 00 06:38:20   udp 130.yyy.114.167.137    ->   130.216.230.199.137   6        0         576          0           
TIM

Note the absence of the "S" indicating a null scan (no tcp flags in
these packets).  This one also


[130.zz.73.75] -- hosts 20, times 16, frags 0
        file: data/2000.10.19/argus-2000.10.19.20.00.gz
                130.216.235.47. 524
        file: data/2000.10.19/argus-2000.10.19.19.00.gz
                130.216.62.30. 524
        file: data/2000.10.19/argus-2000.10.19.14.00.gz
                130.216.51.142. 524
        file: data/2000.10.19/argus-2000.10.19.11.00.gz
                130.216.15.205. 524
                130.216.60.51. 524
        file: data/2000.10.19/argus-2000.10.19.10.00.gz
                130.216.26.96. 524
        file: data/2000.10.19/argus-2000.10.19.07.00.gz
                130.216.84.198. 524
                130.216.122.165. 524
        file: data/2000.10.19/argus-2000.10.19.05.00.gz
                130.216.146.71. 524

19 Oct 00 19:56:38   udp    130.zz.73.75.137    ->     130.216.62.30.137   3        0         288          0           
TIM
19 Oct 00 20:15:21   tcp    130.zz.73.75.2278   o>    130.216.235.47.524   3        0         198          0
19 Oct 00 20:18:42   udp    130.zz.73.75.137    ->    130.216.235.47.137   3        0         288          0           
TIM

Cheers, Russell

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand.
Current thread:

slow scans for tcp port 524 and 137 Russell Fulton (Oct 26)
- <Possible follow-ups>
- Re: slow scans for tcp port 524 and 137 Jens Hektor (Oct 27)
- slow scans for tcp port 524 and 137 Russell Fulton (Oct 27)