|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: large scale distributed scan from Israel
From: Russell Fulton (r.fulton
AUCKLAND.AC.NZ)Date: Mon Jul 31 2000 - 21:09:51 CDT
- Next message: Pierre Vandevenne: "Scans... (was Re: 3 Solaris reboot in 3 days)"
- Previous message: Mike McPherson: "Re: Can someone please explain..."
- Next in thread: mixter2XS.CO.IL: "Re: large scale distributed scan from Israel"
- Reply: mixter2XS.CO.IL: "Re: large scale distributed scan from Israel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
HI,
This is a slightly edited (and truncated -- I've deleted most
of the logs) report I have just sent off to AusCERT about this incident.
AusCERT are trying to contact people in Israel...
Summary of my analysis to date:
Duration: 24th Jul 2000 at 19:11 (UTC) to present.
Frequency: 50 - 100 probes an hour from several different IP
addresses.
The two addresses in 62.0.55\16 seem to be active intermittently over at
least 4 days -- my slow scan detector picked this up. The other source
address are active for quite short periods. Either these people have
*a lot* (hundreds) of systems at their disposal or possibly they have
compromised one system at which can 'see' traffic for a large chunk of
Israel's IP traffic and they are scanning using IP addresses that they
know are not active and snooping the responses.
Either scenario is cause for concern.
Typically each source IP seems to be 'active' for about half an hour
and probes a dozen or so addresses in our /16 network (130.216) with
the same last octet.
e.g. pulling 212.179.30.13 from the log we get:
31 Jul 00 15:52:10 s tcp 212.179.30.13.23226 -> 130.216.4.18.110 5 0 0 0 s
31 Jul 00 15:54:47 tcp 212.179.30.13.20184 <| 130.216.196.18.143 1 1 0 0 sR
31 Jul 00 15:58:28 s tcp 212.179.30.13.20600 -> 130.216.20.18.143 5 0 0 0 s
31 Jul 00 15:59:37 s tcp 212.179.30.13.20728 -> 130.216.148.18.110 5 0 0 0 s
31 Jul 00 16:01:36 s tcp 212.179.30.13.20950 -> 130.216.52.18.110 5 0 0 0 s
31 Jul 00 16:02:57 s tcp 212.179.30.13.21101 -> 130.216.116.18.110 5 0 0 0 s
31 Jul 00 16:04:09 s tcp 212.179.30.13.21234 -> 130.216.12.18.143 5 0 0 0 s
31 Jul 00 16:09:52 s tcp 212.179.30.13.21864 -> 130.216.28.18.143 5 0 0 0 s
31 Jul 00 16:12:24 s tcp 212.179.30.13.22140 -> 130.216.60.18.143 5 0 0 0 s
31 Jul 00 16:13:48 s tcp 212.179.30.13.22294 -> 130.216.124.18.143 5 0 0 0 s
31 Jul 00 16:19:33 tcp 212.179.30.13.22917 <| 130.216.162.18.143 1 1 0 0 sR
31 Jul 00 16:18:30 s tcp 212.179.30.13.22804 -> 130.216.34.18.143 2 0 0 0 s
There seem to be two scans running probing different third octets.
Cheers, Russell.
Russell Fulton, The Univesity of Auckland, New Zealand
- Next message: Pierre Vandevenne: "Scans... (was Re: 3 Solaris reboot in 3 days)"
- Previous message: Mike McPherson: "Re: Can someone please explain..."
- Next in thread: mixter2XS.CO.IL: "Re: large scale distributed scan from Israel"
- Reply: mixter2XS.CO.IL: "Re: large scale distributed scan from Israel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]