Security Incidents mailing list archives
Re: new scanner tool or blind luck?
From: Ken Armstrong <ken.armstrong3 () SYMPATICO CA>
Date: Wed, 13 Sep 2000 19:44:52 -0400
Hi, I have seen exactly the same on a residential ADSL link. This activity has started in early september and is still continuing. There has been some recent discussion on some of the lists concerning a Trojan that was discovered in August. This Trojan infects notepad.exe and then sequentially tries to use netbios to connect to other systems in the local network. I am wondering if this is what we are seeing? Ken On Wed, 13 Sep 2000, T. Esting wrote:
Lately, we've been tracking some unusual NetBIOS scans that have caught our attention and are interesting enough that we thought we'd share with the group. Around the last week of August, we started seeing scans exhibiting the following signature behavior: Sep 09 09:38:09 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP our.sub.net.1 DSTPRT 139 PROT TCP Sep 09 09:38:09 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP our.sub.net.1 DSTPRT 139 PROT TCP Sep 09 09:38:14 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP our.sub.net.2 DSTPRT 139 PROT TCP Sep 09 09:38:14 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP our.sub.net.1 DSTPRT 139 PROT TCP Sep 09 09:38:19 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP our.sub.net.2 DSTPRT 139 PROT TCP Sep 09 09:38:19 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP our.sub.net.3 DSTPRT 139 PROT TCP Sep 09 09:38:24 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP our.sub.net.2 DSTPRT 139 PROT TCP Sep 09 09:38:24 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP our.sub.net.3 DSTPRT 139 PROT TCP Sep 09 09:38:29 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP our.sub.net.4 DSTPRT 139 PROT TCP Sep 09 09:38:29 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2889 DSTIP our.sub.net.1 DSTPRT 139 PROT TCP Sep 09 09:38:29 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP our.sub.net.3 DSTPRT 139 PROT TCP Sep 09 09:38:29 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP our.sub.net.4 DSTPRT 139 PROT TCP Sep 09 09:38:39 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2890 DSTIP our.sub.net.2 DSTPRT 139 PROT TCP Sep 09 09:38:39 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP our.sub.net.4 DSTPRT 139 PROT TCP Sep 09 09:38:44 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2894 DSTIP our.sub.net.6 DSTPRT 139 PROT TCP Sep 09 09:38:44 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2891 DSTIP our.sub.net.3 DSTPRT 139 PROT TCP Sep 09 09:38:44 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2894 DSTIP our.sub.net.6 DSTPRT 139 PROT TCP Sep 09 09:38:49 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2895 DSTIP our.sub.net.7 DSTPRT 139 PROT TCP Sep 09 09:38:49 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2892 DSTIP our.sub.net.4 DSTPRT 139 PROT TCP Sep 09 09:38:54 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2894 DSTIP our.sub.net.6 DSTPRT 139 PROT TCP Sep 09 09:38:54 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2895 DSTIP our.sub.net.7 DSTPRT 139 PROT TCP Sep 09 09:38:54 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2896 DSTIP our.sub.net.8 DSTPRT 139 PROT TCP Sep 09 09:38:59 [ids-host] SRCIP other.subnet.61.30 SRCPRT 2895 DSTIP our.sub.net.7 [... continuing upwards through our.sub.net.254] Although it seemed like just another NetBIOS scan at first, the curious way the destination IPs incremented caught our eye, especially after the attack(s) continued, at the rate of two or three scans a day. We also noted that the traffic was always sourced from different IPs but also always from the same class B. Furthermore, other.subnet and our.sub above are both in the same class B (other.subnet=our.sub). Within a few days, we also started seeing the scan from the neighboring class B (other.subnet+1). This continued for weeks. Then, we started seeing the same signature on a different Internet-connected subnet of ours: Sep 12 19:02:09 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3805 DSTIP our.other.net.1 DSTPRT 139 PROT TCP Sep 12 19:02:14 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP our.other.net.2 DSTPRT 139 PROT TCP Sep 12 19:02:14 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3805 DSTIP our.other.net.1 DSTPRT 139 PROT TCP Sep 12 19:02:14 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP our.other.net.2 DSTPRT 139 PROT TCP Sep 12 19:02:19 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP our.other.net.3 DSTPRT 139 PROT TCP Sep 12 19:02:24 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP our.other.net.2 DSTPRT 139 PROT TCP Sep 12 19:02:24 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP our.other.net.3 DSTPRT 139 PROT TCP Sep 12 19:02:29 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP our.other.net.4 DSTPRT 139 PROT TCP Sep 12 19:02:29 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3805 DSTIP our.other.net.1 DSTPRT 139 PROT TCP Sep 12 19:02:29 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP our.other.net.3 DSTPRT 139 PROT TCP Sep 12 19:02:29 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP our.other.net.4 DSTPRT 139 PROT TCP Sep 12 19:02:29 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP our.other.net.5 DSTPRT 139 PROT TCP Sep 12 19:02:34 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3806 DSTIP our.other.net.2 DSTPRT 139 PROT TCP Sep 12 19:02:34 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP our.other.net.4 DSTPRT 139 PROT TCP Sep 12 19:02:34 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP our.other.net.5 DSTPRT 139 PROT TCP Sep 12 19:02:39 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP our.other.net.6 DSTPRT 139 PROT TCP Sep 12 19:02:39 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP our.other.net.5 DSTPRT 139 PROT TCP Sep 12 19:02:44 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3807 DSTIP our.other.net.3 DSTPRT 139 PROT TCP Sep 12 19:02:44 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP our.other.net.6 DSTPRT 139 PROT TCP Sep 12 19:02:49 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP our.other.net.7 DSTPRT 139 PROT TCP Sep 12 19:02:49 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3808 DSTIP our.other.net.4 DSTPRT 139 PROT TCP Sep 12 19:02:49 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP our.other.net.6 DSTPRT 139 PROT TCP Sep 12 19:02:49 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP our.other.net.7 DSTPRT 139 PROT TCP Sep 12 19:02:54 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP our.other.net.8 DSTPRT 139 PROT TCP Sep 12 19:02:54 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP our.other.net.5 DSTPRT 139 PROT TCP Sep 12 19:02:59 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP our.other.net.7 DSTPRT 139 PROT TCP Sep 12 19:02:59 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP our.other.net.8 DSTPRT 139 PROT TCP Sep 12 19:03:04 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3813 DSTIP our.other.net.9 DSTPRT 139 PROT TCP Sep 12 19:03:04 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3810 DSTIP our.other.net.6 DSTPRT 139 PROT TCP Sep 12 19:03:04 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP our.other.net.8 DSTPRT 139 PROT TCP Sep 12 19:03:04 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3813 DSTIP our.other.net.9 DSTPRT 139 PROT TCP Sep 12 19:03:09 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3814 DSTIP our.other.net.10 DSTPRT 139 PROT TCP Sep 12 19:03:09 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3811 DSTIP our.other.net.7 DSTPRT 139 PROT TCP Sep 12 19:03:09 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3813 DSTIP our.other.net.9 DSTPRT 139 PROT TCP Sep 12 19:03:14 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3814 DSTIP our.other.net.10 DSTPRT 139 PROT TCP Sep 12 19:03:19 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3815 DSTIP our.other.net.11 DSTPRT 139 PROT TCP Sep 12 19:03:19 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3812 DSTIP our.other.net.8 DSTPRT 139 PROT TCP Sep 12 19:03:19 [ids-host] SRCIP some.subnet.23.203 SRCPRT 3814 DSTIP our.other.net.10 [... continuing upwards through our.sub.net.254] Again, some.subnet and our.other turned out to be in neighboring class B allocations (some.subnet = our.other+1). So.... has anyone else encountered this signature? Nonetheless, does anyone have any inkling whether this is a worm or trojan of some sort that is scanning "nearby" subnets for NT hosts to potentially attack? As concerted as the scans have been, it almost seems unlikely that this is one individual - how many times do you have to scan the same network before you're convinced that nothing will answer? Thanks! P.S. The source port to destination IP mapping seems constant, so the increment pattern for destination IPs may be a manifestation of the way the socket code is written for this particular tool in conjunction with the way concurrent connections overlap. _______________________________________________________ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html
-- Ken Armstrong ken.armstrong3 () sympatico ca Unix is user friendly - It is just particular about who it chooses to make friends with.
Current thread:
- new scanner tool or blind luck? T. Esting (Sep 13)
- Re: new scanner tool or blind luck? Thierry (Sep 13)
- Re: new scanner tool or blind luck? Ken Armstrong (Sep 14)
- Re: new scanner tool or blind luck? Thomas Molina (Sep 14)
- Re: new scanner tool or blind luck? Harlan S. Barney, Jr. (Sep 14)
- Re: new scanner tool or blind luck? Josh Brandt (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- <Possible follow-ups>
- Re: new scanner tool or blind luck? T. Esting (Sep 14)