RE: Subseven Scans

[Robert Buckley <rbuckley () synapsemail com>]

Here is a snippet from my Shadow IDS report on the matter...
This isnt the 1st report either. We were probed at least one time more, at a
later date.

A Sequentially Distributed RECON probe for SubSeven V 2.1 port 27374 started

on Jul-17-2002 at 15:39:31 hours and ended on Jul-17-2002 at 22:36:34 hours.

The success of the attack was rated under the success rate algorythym as a
-3
(criticality + lethality) - (netcounters + hostcounters)
(3 + 5) - (5 + 5) = -3

The analyses proved that 23 seperate hosts were used for the attack. Each
host 
probing the our entire external class c for approx 1 minute on one single
port (27374 TCP.) There was a time lapse between each scan sweep, which
indicated the attack was not used for a distributed denial of service.
It also indicates that it is possible the attack was performed by one
individual controlling many hosts. The TTL Values and the WINDOW SIZE values
were examined for differences, and indicated that these hosts were not used
as decoys, nor were their addresses spoofed.

A recon probe against the attacking hosts that were up, indicated that they
are all windows hosts, all with port 139 open to the public. Some hosts did
show signs of being compromised and had virus' present. It was determined
that all attacking hosts are unknowingly being used to attack other systems.
No IP registry trace was done on the attacking hosts because of that reason.

No hosts from our range responded to the attack.

Below is the base information on the hosts used during the attack.

218.233.3.203 (15:39:31 - 15:40:26) TTL = 110, Win = 8192
66.24.202.248 (15:41:49 - 15:42:49) TTL = 46, Win = 4000
211.228.10.15 (15:41:49 - 15:42:41) TTL = 112, Win = 16384
24.71.34.22   (16:35:50 - 16:36:46) TTL = 112, Win = 8192
211.236.200.147 (16:41:30 - 16:42:22) TTL = 111, Win =16384
216.236.40.220 (16:47:30 - 16:47:52) TTL = 118, Win = 8192
142.179.234.35 (17:13:23 - 17:13:57) TTL = 112, Win = 8192
218.154.176.67 (17:29:55 - 17:30:40) TTL = 112, Win = 16384
61.84.235.145 (17:57:36 - 17:58:17) TTL = 112, Win = 8192
217.128.15.218 (18:50:30 - 18:51:31) TTL = 115, Win = 32768
211.207.25.102 (18:55:48 - 18:56:39) TTL = 112, Win = 8192
151.30.194.39 (20:08:26 - 20:09:17) TTL = 113, Win = 32768
24.112.88.252 (20:17:15 -20:17:49) TTL = 111, Win = 8192
65.29.80.22 (20:41:11 - 20:41:46) TTL = 112, Win = 8192
213.225.61.124 (20:56:42 - 20:57:26) TTL = 113, Win = 16384
61.79.94.143 (21:13:42 - 21:14:32) TTL = 112, Win = 8192
62.64.233.250 (21:17:02 - 21:17:53) TTL = 111, Win = 8192
206.30.150.213 (21:35:39 - 21:36:23) TTL = 109, Win = 8760
209.245.195.93 (21:36:08 - 21:36:54) TTL = 114, Win = 8760
211.200.87.28 (21:36:30 - 21:37:14) TTL = 112, Win = 16384
211.221.103.44 (22:12:23 - 22:13:11) TTL = 111, Win = 16384
213.23.55.246 (22:31:25 - 22:32:25) TTL = 113, Win = 8192
211.211.85.143 (22:35:57 - 22:26:34) TTL = 112, Win = 8192


-----Original Message-----
From: Baribault, Gary [mailto:gary () baribault net]
Sent: Monday, August 12, 2002 3:13 PM
To: grdnwsl; Rob Keown
Cc: incidents () securityfocus com
Subject: Re: Subseven Scans


Hum .. I just found a bunch of 27374 on one of my SDSL link with a few of 
the 12345 scans. This link's firewall is allways way more active. My second 
is an ADSL and it's usually quieter, this one has no 12345 but a few 27374.

Gary B

At 11:08 AM 8/12/2002 -0500, Preston Kutzner wrote:
> Hello Rob,
>
> Sunday, August 11, 2002, 8:42:50 AM, you wrote:
>
> RK> Anyone else seeing a huge increase in subseven scans...6708 since about
> RK> 0300Z - across all of my class C's and from quite a few sources 
> (running the
> RK> query now to see how many).
>
> RK> Rob
>
>
> RK> 
> ---------------------------------------------------------------------------
-
> RK> This list is provided by the SecurityFocus ARIS analyzer service.
> RK> For more information on this free incident handling, management
> RK> and tracking system please see: http://aris.securityfocus.com
>
> I've seen quite a bit of traffic on ports tcp/12345 and tcp/27374.
> According to what I've seen, 27374 is a port used by quite a few
> versions of SubSeven, as for 12345, it's not mentioned that subseven
> runs on that port (that I've seen), but I am seeing attempted
> connections to these ports at the same time (maybe some other vuln
> attempt I'm not aware of?  anyone?).  Hope that helps.
>
> --
> Preston Kutzner | IT Manager
> Marketing Resources, Inc.
>
> _________________________________________________________________
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material.  Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited.   If you received
> this in error, please contact the sender and delete the material from any
> computer.
>
>
> ---------------------------------------------------------------------------
-
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com