Security Incidents mailing list archives
semi careful, very patient attacker
From: sinster () BALLTECH NET (Jon Paul, Nollmann)
Date: Mon, 24 Jan 2000 01:45:32 -0800
Since January 14th, I've been monitoring a careful attacker against my network. He's gained no access of any kind, but it's interesting how careful he's being. He only makes a couple probes a day, and the probes are relatively far apart. His probes have never yet come from the same host twice. They appear roughly evenly throughout the day. All the source IP addresses are dialups or otherwise insecure access points. All his probes have been against three specific machines in my network. These three machines are all part of a high profile project, and word has been spreading quite far in certain restricted communities since early this year, so it's not surprising that the attacker chose these three machines for the probe: if he were to try any of these machines, he'd have hit it randomly (and would only hit one of those machines), or he heard about them through the press releases and therefore knows of all three. He hasn't probed or otherwise knocked on the doors of ANY other machines in my network. Incomplete details follow: On January 14 at 23:15:20 UTC and again at 23:15:23 UTC he made TCP RPC queries against each of the three machines. The queries came from 206.107.248.20, with varied ports. That IP belongs to the dial-up pool at sprintlink. On January 15 at 02:30:44 UTC, 02:30:54 UTC, 02:31:04 UTC, and 02:31:14 UTC he pinged machines b and c (notice the 10 second separation between each ping). The source address in the pings was 209.31.36.24. This is mail.faraday-usa.com, hosted by concentric networks. Then at 02:34:29 UTC, 02:34:32 UTC, 02:34:38 UTC, 02:34:50 UTC, and 02:35:14 he tried a telnet login to machine a. Notice that the time delay doubles between each packet here (3 seconds, 6 seconds, 12 seconds, then 24 seconds). This was, again, from 209.31.36.24, which isn't surprising since it was only 3 minutes 15 seconds after the last ping attempt. This was followed at 02:35:44 UTC, 02:35:47 UTC, 02:35:53 UTC, 02:36:05 UTC, and 02:36:29 UTC by more TCP RPC queries. Once again, against machine a. And, then, at 02:37:02 UTC, 02:37:08 UTC, 02:37:20 UTC, and 02:37:44 UTC, attempts at imap2 connections. 6 seconds, 12 seconds, then 24 seconds. Maybe the 3 second try ended up in the bit bucket somewhere. *shrug* That happens. Not yet ready to give up, at 02:38:14 UTC, 02:38:17 UTC, 02:38:23 UTC, 02:38:35 UTC, and 02:38:59 UTC (3, 6, 12, and 24 seconds), he tried ftp connections. Clearly he found something interesting on machine a, but finally gave up after only 9 minutes of trying. On January 15, at 09:41:07 UTC, he tried TCP SNMP connections on all three machines. Just one probe each. This came from 209.154.229.104. That IP is a UUNet/MCI-Worldcom address. On January 19, at 19:55:57 UTC, he tried a DNS probe against all three machines. This from 206.16.75.190, which my DNS reports as being www.blacktop.com... Though that is 75.16.206.in-addr.arpa, so something screwy's going on there. And January 21, at 01:15:50 UTC, he probed port 31789 (UDP) on all 3 machines. I dunno what that might be for. Source IP was 212.62.36.184, assigned to sprintlink.net. On January 22, 11:21:58 UTC, and 11:22:01 UTC he probed DNS again (TCP).
From208.32.1.120. Another sprintlink address.
January 23, 06:50:30 UTC, he probed all three machines with telnet, smtp, imap2, and then pop-3 (all TCP) in that order. All the packets came within 1 second. I believe that this is the same guy, simply because nearly all of these probes are repeated identically against all three machines. The attacks are scattered throughout the day, so either he has a script running, or he occasionally has a late night. -- Jon Paul Nollmann ne' Darren Senn sinster () balltech net Unsolicited commercial email will be archived at $1/byte/day. "Tis better to remain silent and be thought a fool, than to speak up and remove all doubt." Benjamin Franklin
Current thread:
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File, (continued)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Cy Schubert - ITSD Open Systems Group (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Ex Machina [xm] (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File CyberPsychotic (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Dug Song (Jan 22)
- Re: Unusual scan pattern Granquist, Lamont (Jan 19)
- Slow scan Mixmaster (Jan 19)
- Re: Unusual scan pattern Richard Bejtlich (Jan 20)
- Re: Unusual scan pattern Kevin Houle (Jan 20)
- Re: Unusual scan pattern Russell Fulton (Jan 23)
- semi careful, very patient attacker Jon Paul, Nollmann (Jan 24)
- Re: Unusual scan pattern Oliver Friedrichs (Jan 19)
- Unknown Port Numbers Edwin Covert (Jan 21)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)