Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Martin H Hoz-Salvador (mhozCITI.COM.MX)
Date: Thu Jan 04 2001 - 18:13:57 CST
-----BEGIN PGP SIGNED MESSAGE-----
This is a follow-up for my post dated December 19th 2000, I have some
This is a bit later to my first post, but I wanted to do some research
before releasing any results. :-) AHere we go:
a) As Rusell Fulton said in a reply, most of origin IP's came from Korea,
others sources were Brazil, USA, Canada among others.
b) As Rusell Fulton pointed too, mosts of netscans started at "11" ,
instead of "1". A strange thing is some scans started at "96" and
ended at "111".
c) Delay between packets was 5 seconds. Sometimes delay was 6 seconds, but
I think this was due network congestion, and not a pattern in scans
d) Almost all scans took 20 minutes (average) to scan a class C net
(remember, from 11 to 254 this case).
e) From my logs, it seems like scans started at Dec/14/2000 22:52:27 CST ,
ending Dec/27/2000 09:54:03 CST (note ":52:27" and "54:03" relation. I'm
guessing if this hour is significant for some country like Korea, or if
this could mean an automated scan). ;-)
f) around 420 unique ip numbers were originating scannings. I tryed to
identify some "double" scans originated from same IP without success.
g) Jose Nazario pointed out the possible relationship between this scan and
some sort of underground audit project. I browsed the web and found
this URL: http://www.nwo.net/iap/ This is related (almost the same
info :-P) to the URL he gave us. But this page don't say anything about
NetBus scannings. (or some other trojans associated to 12345 port, as
listed in http://www.simovits.com/nyheter9902.html) I couldn't find any
underground audit project related to this... (using common
search engines) :-(
h) Unfortunately, due internal management problems, I couldn't reconfigure
my IDS to get more detailed info about this, and all info was extracted
using as only source my firewall logs (sorry) :-(
i) Due the large numbert of Ip's, try to contact responsible people for
each one network involved, I didn't do any contact to network managers
at the other side, sorry.
j) As a result of this (too), I wrote a "quick and dirty" korn shell script
to find "contacts" for any given IP, simply doing queries to whois
databases. I usually do this manually, but do this for more than 400 ips
one-by-one, it really hard to me. :-P
I'm attaching to this message 3 files:
ipes:- A list of ip numbers from which scans were originated
results:- the results for contacts using "ipes" file as source for the
script I talked about before.
parser.ksh:- the script.
I reviewed the charter for this list looking for something about
attachments, and found nothing, so I guess it's Ok to send some
short (zipped) attachments. ;-)
Hope this helps to someone. :-) Best regards and happy 2001.
Martin Humberto Hoz Salvador
Information Security Consultant (ISS ICU, Check Point CCSE)
C I T I
Sendero Sur 285 Col. Contry, Monterrey, Nuevo Leon 64860, MEXICO
Phone: +(52)(8) 357-2267 x139 Fax: +(52)(8) 357-8047
E-mail: mhozciti.com.mx WWW: http://www.citi.com.mx
PGPKey ID: 0x0454E8D9 ICQ Number: 31631540
GIT d- s:(+:+) a-- C+(++++)>$ SILH++++ P++ L+++ E W++ N+ o-- K- w
O M V PS+ PE++ Y+ PGP++ t 5 X+ R tv- b+ DI+ D++ G++ e++ h-- r+ y++
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1i
Comment: Public key at http://www.citi.com.mx/~mhoz/pgpkey.html
-----END PGP SIGNATURE-----
- application/x-unknown-content-type-PGP Detached Signature File attachment: files.zip.sig
- application/zip attachment: files.zip