OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dan Irwin (dan_at_jackies.com.au)
Date: Tue Jul 09 2002 - 18:20:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I noticed an increase in smb scanning last week, with a lot of machines
    on asian or US cable/dsl networks probing networks here.

    At least one of these machines appeared to be insecure and i could
    enumerate shares etc with smbclient -L.

    According to my logs, before July 1 2002, we had 4 netbios probes (This
    machine was only installed in mid June).

    On July 1 we recieved around 70 probes, and approx. 68 on July 4. 75
    probes sofar today. Other days vary a lot.

    Infected machines appear to be scanning large ip address ranges. These
    machines are scanning every address on our /28 net. (Logs below)

    Perhaps a new worm targetting insecure windows machines?

    Dan.

    <snip>
    Jul 10 09:12:37 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.119 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=38950 DF PROTO=TCP SPT=21595 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:37 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
    SRC=67.225.115.84 DST=x.x.x.127 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=39206 DF PROTO=TCP SPT=21569 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:39 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.120 LEN=48 TOS=0x00 PREC=0x00 TTL=104
    ID=39974 DF PROTO=TCP SPT=21317 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:40 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.121 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=40998 DF PROTO=TCP SPT=21539 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:42 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.122 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=42022 DF PROTO=TCP SPT=21554 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:43 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.123 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=43046 DF PROTO=TCP SPT=21561 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:45 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.124 LEN=48 TOS=0x00 PREC=0x00 TTL=105
    ID=44070 DF PROTO=TCP SPT=21596 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:46 xxxxx kernel: fwreject IN=ppp0 OUT=eth0
    SRC=67.225.115.84 DST=x.x.x.125 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=45094 DF PROTO=TCP SPT=21599 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:48 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
    SRC=67.225.115.84 DST=x.x.x.126 LEN=48 TOS=0x00 PREC=0x00 TTL=107
    ID=46118 DF PROTO=TCP SPT=21488 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    Jul 10 09:12:49 xxxxx kernel: fwreject IN=ppp0 OUT= MAC=
    SRC=67.225.115.84 DST=x.x.x.127 LEN=48 TOS=0x00 PREC=0x00 TTL=106
    ID=47142 DF PROTO=TCP SPT=21569 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0
    <snip> 

    --
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danjackies.com.au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infojackies.com.au
Web: http://www.jackies.com.au

    -----Original Message-----
From: Pavel Kankovsky [mailto:peakargo.troja.mff.cuni.cz]
Sent: Wednesday, 10 July 2002 6:22 AM
To: incidentssecurityfocus.com
Subject: TCP port 139 probes

    I have detected a noticeable increase of (blocked) attempts to connect
to the TCP port 139 on machines in our network. Look at these numbers
(number of blocked packets per a day):

          1	Jun 10
      5	Jun 11
     13	Jun 12
     15	Jun 13
      3	Jun 15
      3	Jun 16
      4	Jun 17
     13	Jun 18
     18	Jun 19
     16	Jun 20
     15	Jun 21
      4	Jun 22
      2	Jun 23
     23	Jun 24
     18	Jun 25
     44	Jun 26
     95	Jun 27
    112	Jun 28
     84	Jun 29
     53	Jun 30
    130	Jul  1
    191	Jul  2
    227	Jul  3
    235	Jul  4
    226	Jul  5
    185	Jul  6
    167	Jul  7
    350	Jul  8
    199	Jul  9

    These probes are not (ordinary) scans but isolated attempts by seemingly
random remote IP addresses to open connection to seemingly random local
IP
addresses. In many cases, the destination is an unused address.

    This is very suspicious.

    --Pavel Kankovsky aka Peak  [ Boycott
Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for
assimilation."

    ------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com