Security Incidents mailing list archives

Re: Port 10008

From: "Crist Clark" <crist.clark () globalstar com>
Date: Tue, 15 May 2001 10:53:09 -0700

Mike Scott wrote:


I saw the same thing over the weekend to what looks like the entire Class B.
Here's a snip from a snort portscan log, I don't have the rest in front of me:

May 13 09:18:56 202.43.105.18:4760 -> xxx.140.18.139:10008 SYN ******S*
May 13 09:18:56 202.43.105.18:4761 -> xxx.140.18.140:10008 SYN ******S*
May 13 09:18:57 202.43.105.18:4762 -> xxx.140.18.141:10008 SYN ******S*
May 13 09:18:57 202.43.105.18:4763 -> xxx.140.18.142:10008 SYN ******S*


These are the hosts that scanned us for 10008 _yesterday_ (midnight to
midnight localtime). The kiddies/worms are already well over their quota
on this port for the whole week.

The first value is the number of packets (note, packets not necessarily
individual connection attempts) we were hit with. Four class C's and some 
change are routed past the device that logged these,

   338 195.166.230.3
  2102 217.80.46.242
    12 211.100.13.100
    10 211.114.177.139
    11 207.200.89.227
  2032 217.75.0.71
    10 203.164.147.132
     4 64.12.184.25
     7 207.200.89.193
     4 155.210.88.146
     5 209.249.232.66
  2128 213.73.6.98
  2107 211.20.160.238
  1653 211.175.142.204
     4 65.196.90.10

Someone earlier in the thread asked if there was a signature to these.
I obviously have not examined each and every one of these packets, but
I looked at the ones that sent over 1000 packets my way and there were
no obvious signs of crafting or other strange signatures (incrementing
IP ID, changing ISN, changing TCP timestamp, SYN with no extra flags,
stepping source port, etc.). They all look like Linux boxen tho'. Prolly
2.1.x?
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com

Current thread:

Port 10008 Joerg Weber (May 15)
- Re: Port 10008 jlewis (May 15)
  - Re: Port 10008 jlewis (May 22)
- Re: Port 10008 Tracey Losco (May 15)
- Re: Port 10008 Tim Brown (May 15)
- Re: Port 10008 Mike Scott (May 15)
  - Re: Port 10008 Crist Clark (May 15)
- Re: Port 10008 Rob Lindenbusch (May 15)
- Re: Port 10008 Bryan Andersen (May 15)
  - Cheese Worm - Port 10008 HyunWoo Lee (May 16)