Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

China's tool of the year

From: silence_is_best () hushmail com
Date: Fri, 06 Dec 2013 06:09:08 -0700
Hey Kids!

Let's have some fun with kernel firewall logs shall we?  Take November
for example:

egrep -o "SPT=[0-9]{1,5}" 00.01.03-12.01.2013-messages | sort -n |
uniq -c | sort -rn | head -n 20

    898 SPT=6000
    273 SPT=80
    215 SPT=443
     81 SPT=39401
     59 SPT=53
     48 SPT=16387
     44 SPT=3074
     41 SPT=21032
     39 SPT=45682
     36 SPT=5070
     36 SPT=43295
     36 SPT=36490
     30 SPT=4935
     27 SPT=33715
     26 SPT=7778
     25 SPT=5371
     23 SPT=12212
     21 SPT=8877
     20 SPT=8458
     20 SPT=5971

Now we can douche out 80 and 443 since these are most likely RST
packets from web sites.  So what's the deal with 6000?  That my
friends is China's scanning tool!  How do we know?  Cause we look at
the DPT :)

egrep "SPT=6000" 00.01.03-12.01.2013-messages | egrep -o
"DPT=[0-9]{1,5}" | sort -n | uniq -c | sort -rn | head -n 20

    309 DPT=1433
    285 DPT=22
    118 DPT=3306
     87 DPT=3389
     27 DPT=8080
     13 DPT=80
     12 DPT=4899
      5 DPT=135
      4 DPT=8009
      4 DPT=1998
      3 DPT=65500
      3 DPT=5900
      3 DPT=1521
      2 DPT=8081
      2 DPT=2967
      2 DPT=1000
      1 DPT=8888
      1 DPT=888
      1 DPT=8088
      1 DPT=7777

Gee....MSSQL...SSH...MySQL...RDP...yea these are legit 8-|.  So let's
just look at the top few source IP's:

egrep "SPT=6000" 00.01.03-12.01.2013-messages | egrep -o "SRC=.*DST" |
sed -e 's/SRC=//' -e 's/ DST//' | sort -n | uniq -c | sort -rn | head
-n 20

     30 61.147.103.144
     17 222.189.239.10
     17 182.118.38.243
     15 222.175.114.134
     15 117.34.78.197
     14 61.147.113.93
     12 61.147.116.8
     11 61.147.113.77
     11 59.53.67.154
     11 124.232.147.202

Well what do you know....EVERY SINGLE SWINGING one is from China :) 
Solutions?  Block source port 6000 at the perimeter?  Maybe..or maybe
just monitor for a month and see how much legit traffic comes through
on that port.  That's all for now...enjoy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: