Security Incidents mailing list archives
slow scans for tcp port 524 and 137
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 25 Oct 2000 13:12:56 +1300
Over the last week or so I have picked up three machines probing for udp 137 and tcp 524. Probes appear to be to random address in our address space (some are in use, many not) and occur at random time intervals, mean around an hour but with some long intervals suggesting that the machine was powered off. All machines are in 130.0.0.0/8 as are we. I'm guessing that this is a trojan that is scanning its own /8 with random probes. Perhaps the same as was reported: < http://www.securityfocus.com/archive/75/61101 > Anyway it seems to be getting more prevalent. I have not yet reported these to the owners so I'll obscure the source address to protect the guilty until I have contacted them. [130.xx.93.46] -- hosts 15, times 21, frags 0 file: data/2000.10.24/argus-2000.10.24.19.00.gz 130.216.92.204. 524 file: data/2000.10.24/argus-2000.10.24.18.00.gz 130.216.92.204. 524 file: data/2000.10.24/argus-2000.10.24.16.00.gz 130.216.216.44. 524 130.216.217.118. 524 file: data/2000.10.24/argus-2000.10.24.15.00.gz 130.216.216.44. 524 file: data/2000.10.24/argus-2000.10.24.13.00.gz 130.216.37.229. 524 file: data/2000.10.24/argus-2000.10.24.12.00.gz 130.216.37.229. 524 file: data/2000.10.24/argus-2000.10.24.03.00.gz 130.216.131.62. 524 file: data/2000.10.23/argus-2000.10.23.22.00.gz 130.216.16.95. 524 file: data/2000.10.23/argus-2000.10.23.21.00.gz 130.216.16.95. 524 file: data/2000.10.20/argus-2000.10.20.02.00.gz Start_Time Type SrcAddr Port Dir DstAddr Port SrcPkt Dstpkt SrcBytes DstBytes Status 24 Oct 00 19:26:37 tcp 130.xx.93.46.4495 o> 130.216.92.204.524 3 0 198 0 S 24 Oct 00 19:26:27 icmp 130.216.191.119 -> 130.xx.93.46 9 0 1206 0 URH 24 Oct 00 19:26:24 udp 130.xx.93.46.137 -> 130.216.92.204.137 6 0 576 0 TIM Note the "S" 'Status' on the tcp record this indicates packet had SYN flag set. This one seems to repobe the last address systematically, the others don't. [130.yyy.114.167] -- hosts 11, times 10, frags 0 file: data/2000.10.24/argus-2000.10.24.06.00.gz 130.216.185.105. 524 130.216.230.199. 524 file: data/2000.10.24/argus-2000.10.24.02.00.gz 130.216.149.63. 524 file: data/2000.10.21/argus-2000.10.21.01.00.gz 130.216.96.172. 524 file: data/2000.10.20/argus-2000.10.20.04.00.gz 130.216.132.185. 524 file: data/2000.10.18/argus-2000.10.18.09.00.gz 130.216.55.228. 524 file: data/2000.10.18/argus-2000.10.18.05.00.gz 130.216.186.163. 524 file: data/2000.10.18/argus-2000.10.18.02.00.gz 130.216.209.106. 524 file: data/2000.10.18/argus-2000.10.18.01.00.gz 130.216.162.67. 524 file: data/2000.10.17/argus-2000.10.17.07.00.gz 130.216.119.124. 524 file: data/2000.10.17/argus-2000.10.17.04.00.gz 130.216.87.10. 524 24 Oct 00 06:20:05 tcp 130.yyy.114.167.1228 o> 130.216.185.105.524 3 0 198 0 24 Oct 00 06:20:14 udp 130.yyy.114.167.137 -> 130.216.185.105.137 6 0 576 0 TIM 24 Oct 00 06:38:04 tcp 130.yyy.114.167.1493 o> 130.216.230.199.524 3 0 198 0 24 Oct 00 06:38:20 udp 130.yyy.114.167.137 -> 130.216.230.199.137 6 0 576 0 TIM Note the absence of the "S" indicating a null scan (no tcp flags in these packets). This one also [130.zz.73.75] -- hosts 20, times 16, frags 0 file: data/2000.10.19/argus-2000.10.19.20.00.gz 130.216.235.47. 524 file: data/2000.10.19/argus-2000.10.19.19.00.gz 130.216.62.30. 524 file: data/2000.10.19/argus-2000.10.19.14.00.gz 130.216.51.142. 524 file: data/2000.10.19/argus-2000.10.19.11.00.gz 130.216.15.205. 524 130.216.60.51. 524 file: data/2000.10.19/argus-2000.10.19.10.00.gz 130.216.26.96. 524 file: data/2000.10.19/argus-2000.10.19.07.00.gz 130.216.84.198. 524 130.216.122.165. 524 file: data/2000.10.19/argus-2000.10.19.05.00.gz 130.216.146.71. 524 19 Oct 00 19:56:38 udp 130.zz.73.75.137 -> 130.216.62.30.137 3 0 288 0 TIM 19 Oct 00 20:15:21 tcp 130.zz.73.75.2278 o> 130.216.235.47.524 3 0 198 0 19 Oct 00 20:18:42 udp 130.zz.73.75.137 -> 130.216.235.47.137 3 0 288 0 TIM Cheers, Russell Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand.
Current thread:
- slow scans for tcp port 524 and 137 Russell Fulton (Oct 26)
- <Possible follow-ups>
- Re: slow scans for tcp port 524 and 137 Jens Hektor (Oct 27)
- slow scans for tcp port 524 and 137 Russell Fulton (Oct 27)