Security Incidents mailing list archives

RE: Strange connection attempts

From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Tue, 8 Jan 2002 08:35:48 -0500

Andrea,

After a cursory overview, my first guess would be that someone is using a
tool like nmap to poke around for a hole on port 36 using multiple "decoy"
IP addresses (the "-D" option).  

The packets are too infrequent to argue for a DDoS.  However we'll notice
that the source port is always port 137, which would also make me suspect a
coordinated probe from bots.  I would think nmap from a single machine would
generate packets with at least somewhat varying source ports.

From http://www.iana.org/assignments/port-numbers:

#                36/tcp    Unassigned
#                36/udp    Unassigned
time             37/tcp    Time
time             37/udp    Time
#                40/tcp    Unassigned
#                40/udp    Unassigned
... no standard uses for 36 (most frequently scanned) and 40.  I wonder if
this d00d is looking for more bots configured to listen on one of those 3
ports.  An (admittedly brief) google search doesn't show much for these
ports.  Anyone have more info. on these (that may know more about bots than
I)?

You may want to do a ping sweep and nslookup on the source IP's to see if
they're legit.  Some things to think about: Is the host alive?  Does its
reverse DNS resolve to some sort of modem pool (to indicate a home user)?
Another thing you may want to do, if you find that one (or more) of the
source IP's are legit and alive (and I know this flirts with the grey area
of the law): do a portscan to see if any of the people who scanned YOU are
listening on those three ports (keep in mind TCP/37 is UTP and may be a
genuine service).  

One thing I can't explain is why you're getting hit so many times at your
router (one IP) for these ports.  It's not like by knocking harder the hax0r
is going to convince you to open up the firewall door... perhaps repeated
sweeps of the subnet that my.border.router.ip resides in?

Just some thoughts... please feel free to correct me if I'm totally off-base
with anything (I'm sure I blew the call somewhere in here :-) ).

Mike Cloppert 
Systems Analyst 
Fifth Third Bank 
513 534 0898 
michael.cloppert () 53 com

-----Original Message-----
From: Andrea Efstathiou [mailto:aefstathiou () aeropia com]
Sent: Monday, January 07, 2002 11:49 AM
To: incidents () securityfocus com
Subject: Strange connection attempts


Hi All,

I was wondering if anyone else was seeing, or has seen 
attempts like this
before and/or could tell me what mite be causing them.

Jan  2 13:42:13 my.domain.com41479: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.106.18.248(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:44:53 my.domain.com41482: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 208.58.230.212(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:45:08 my.domain.com41484: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.116.251.123(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:46:47 my.domain.com41485: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 195.176.180.174(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:46:58 my.domain.com41487: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:47:58 my.domain.com41502: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 141.217.10.169(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:48:56 my.domain.com41504: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.103.119.138(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:50:08 my.domain.com41506: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.56.168.38(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:51:52 my.domain.com41509: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:52:14 my.domain.com41510: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 204.210.232.253(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:56:01 my.domain.com41516: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:56:39 my.domain.com41517: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 209.107.57.252(137) -> my.border.router.ip(36), 1 packet
Jan  2 13:56:56 my.domain.com41518: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 216.191.217.66(137) -> my.border.router.ip(36), 2 packets
Jan  2 13:57:56 my.domain.com41519: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 204.210.232.253(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:00:58 my.domain.com41527: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:01:27 my.domain.com41528: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 212.131.230.179(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:01:57 my.domain.com41529: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:05:38 my.domain.com41534: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 207.173.208.254(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:06:00 my.domain.com41536: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 202.8.234.234(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:06:57 my.domain.com41539: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:07:39 my.domain.com41540: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:09:25 my.domain.com41544: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:13:53 my.domain.com41559: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:17:19 my.domain.com41565: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 66.168.212.107(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:19:50 my.domain.com41568: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 207.40.241.184(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:20:59 my.domain.com41569: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.81.200.98(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:22:59 my.domain.com41573: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 66.168.212.107(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:23:59 my.domain.com41576: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 203.247.220.183(137) -> my.border.router.ip(36), 3 packets
Jan  2 14:24:29 my.domain.com41578: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 158.194.80.59(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:24:59 my.domain.com41579: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 207.40.241.184(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:25:59 my.domain.com41581: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.95.243.199(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:27:28 my.domain.com41585: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.204.206.98(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:27:48 my.domain.com41586: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.197.234.119(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:30:00 my.domain.com41589: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 158.194.80.59(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:30:54 my.domain.com41592: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:32:02 my.domain.com41596: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.159.100.37(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:33:00 my.domain.com41599: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.197.234.119(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:34:38 my.domain.com41600: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 213.221.145.131(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:36:00 my.domain.com41602: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 144.92.175.159(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:40:01 my.domain.com41610: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 213.221.145.131(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:40:56 my.domain.com41612: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:41:02 my.domain.com41614: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 128.163.94.92(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:41:35 my.domain.com41615: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 168.131.57.87(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:41:53 my.domain.com41616: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.83.39.140(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:42:23 my.domain.com41618: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.149.128.36(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:44:21 my.domain.com41623: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 213.45.107.130(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:46:01 my.domain.com41627: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:47:01 my.domain.com41629: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.83.39.140(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:50:11 my.domain.com41632: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 142.103.165.51(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:51:03 my.domain.com41637: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 208.20.105.233(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:51:40 my.domain.com41638: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.33.170.194(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:54:02 my.domain.com41642: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.149.128.36(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:54:57 my.domain.com41644: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 211.171.214.131(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:55:18 my.domain.com41646: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 212.125.225.165(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:55:47 my.domain.com41647: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.198.44.4(137) -> my.border.router.ip(36), 1 packet
Jan  2 14:57:03 my.domain.com41652: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 208.20.105.233(137) -> my.border.router.ip(36), 2 packets
Jan  2 14:58:56 my.domain.com41654: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 202.180.172.8(137) -> my.border.router.ip(36), 1 packet
Jan  2 15:00:03 my.domain.com41659: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 211.171.214.131(137) -> my.border.router.ip(36), 2 packets
Jan  2 15:01:48 my.domain.com41663: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 211.219.43.175(137) -> my.border.router.ip(36), 1 packet
Jan  2 15:04:03 my.domain.com41667: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 202.180.172.8(137) -> my.border.router.ip(36), 2 packets
Jan  2 15:07:04 my.domain.com41672: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 211.219.43.175(137) -> my.border.router.ip(36), 2 packets

Jan  3 09:04:37 my.domain.com41870: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.196.28.67(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:05:48 my.domain.com41871: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 209.91.178.156(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:07:04 my.domain.com41873: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.207.157.172(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:09:43 my.domain.com41875: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.212.205.68(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:10:11 my.domain.com41876: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 208.63.88.86(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:10:28 my.domain.com41877: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.196.28.67(137) -> my.border.router.ip(37), 2 packets
Jan  3 09:10:45 my.domain.com41878: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 144.92.175.27(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:12:04 my.domain.com41880: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 156.3.31.177(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:12:13 my.domain.com41881: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 4.3.205.254(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:12:29 my.domain.com41882: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 24.207.157.172(137) -> my.border.router.ip(37), 2 packets
Jan  3 09:12:33 my.domain.com41883: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.107.131.247(137) -> my.border.router.ip(37), 1 packet
Jan  3 09:15:29 my.domain.com41885: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 208.63.88.86(137) -> my.border.router.ip(37), 2 packets
Jan  3 09:16:29 my.domain.com41886: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 144.92.175.27(137) -> my.border.router.ip(37), 2 packets
Jan  3 09:17:29 my.domain.com41887: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 156.3.31.177(137) -> my.border.router.ip(37), 2 packets
Jan  3 09:18:29 my.domain.com41888: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.107.131.247(137) -> my.border.router.ip(37), 2 packets

Jan  4 17:42:43 my.domain.com42179: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 208.63.124.173(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:43:33 my.domain.com42181: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 206.142.24.160(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:44:12 my.domain.com42183: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:44:33 my.domain.com42184: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:44:44 my.domain.com42185: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.116.246.179(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:45:51 my.domain.com42187: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 209.251.16.2(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:46:45 my.domain.com42188: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 206.69.196.90(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:47:04 my.domain.com42189: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 62.142.203.158(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:47:33 my.domain.com42190: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 66.169.232.55(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:49:51 my.domain.com42193: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:50:51 my.domain.com42194: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 209.251.16.2(137) -> my.border.router.ip(40), 2 packets
Jan  4 17:51:21 my.domain.com42195: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 134.102.68.26(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:52:30 my.domain.com42196: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 130.184.111.212(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:52:51 my.domain.com42197: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:53:22 my.domain.com42198: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 137.204.133.109(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:54:51 my.domain.com42200: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.116.246.179(137) -> my.border.router.ip(40), 3 packets
Jan  4 17:56:24 my.domain.com42201: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:56:28 my.domain.com42202: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 80.116.86.119(137) -> my.border.router.ip(40), 1 packet
Jan  4 17:56:52 my.domain.com42204: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 134.102.68.26(137) -> my.border.router.ip(40), 2 packets
Jan  4 17:57:52 my.domain.com42205: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 130.184.111.212(137) -> my.border.router.ip(40), 2 packets
Jan  4 17:58:52 my.domain.com42206: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 137.204.133.109(137) -> my.border.router.ip(40), 2 packets
Jan  4 18:01:52 my.domain.com42209: %SEC-6-IPACCESSLOGP: list 
inbound denied
udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet

Regards,

Andrea Efstathiou


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange connection attempts Andrea Efstathiou (Jan 07)
- <Possible follow-ups>
- RE: Strange connection attempts Cloppert, Michael (Jan 08)