[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031009215416.GH27822@sentex.net>
From: damian at sentex.net (Damian Gerow)
Subject: Port 135 scans, IDS/incidents mailing lists
First off, has anyone noticed a massive increase in port 135/tcp scans?
We're seeing tons of packets spewing out of some of our customers:
17:49:03.005114 64.7.nnn.xx.2896 > 192.165.59.173.135: S [tcp sum ok] 1825871932:1825871932(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8587, len 48)
17:49:03.009414 64.7.nnn.xx.2897 > 192.165.59.174.135: S [tcp sum ok] 1825933405:1825933405(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8588, len 48)
17:49:03.014364 64.7.nnn.xx.2898 > 192.165.59.175.135: S [tcp sum ok] 1825993933:1825993933(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8589, len 48)
17:49:03.019936 64.7.nnn.xx.2899 > 192.165.59.176.135: S [tcp sum ok] 1826046617:1826046617(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8590, len 48)
17:49:03.023053 64.7.nnn.zzz.4648 > 192.169.242.96.135: S [tcp sum ok] 2972905172:2972905172(0) win 16384 <mss 1440,nop,nop,sackOK> (DF) (ttl 127, id 50554, len 48)
17:49:03.023957 64.7.nnn.xx.2900 > 192.165.59.1.135: S [tcp sum ok] 1816064717:1816064717(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 85xx, len 48)
17:49:03.028542 64.7.nnn.xx.2901 > 192.165.59.93.135: S [tcp sum ok] 1821308116:1821308116(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8592, len 48)
17:49:03.032474 64.7.nnn.xx.2902 > 192.165.59.109.135: S [tcp sum ok] 1822128959:1822128959(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8593, len 48)
17:49:03.032923 64.7.nnn.zzz.4649 > 192.169.242.97.135: S [tcp sum ok] 2972957081:2972957081(0) win 16384 <mss 1440,nop,nop,sackOK> (DF) (ttl 127, id 50556, len 48)
17:49:03.037511 64.7.nnn.xx.2903 > 192.165.59.84.135: S [tcp sum ok] 1820848300:1820848300(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8594, len 48)
17:49:03.042845 64.7.nnn.xx.2904 > 192.165.59.106.135: S [tcp sum ok] 1821950726:1821950726(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8595, len 48)
17:49:03.043351 64.7.nnn.zzz.4652 > 192.169.242.98.135: S [tcp sum ok] 2973012253:2973012253(0) win 16384 <mss 1440,nop,nop,sackOK> (DF) (ttl 127, id 50557, len 48)
17:49:03.047221 64.7.nnn.xx.2905 > 192.165.59.33.135: S [tcp sum ok] 1817916094:1817916094(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8596, len 48)
17:49:03.051521 64.7.nnn.xx.2906 > 192.165.59.90.135: S [tcp sum ok] 1821160157:1821160157(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8597, len 48)
17:49:03.055904 64.7.nnn.xx.2907 > 192.165.59.100.135: S [tcp sum ok] 1821645039:1821645039(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8598, len 48)
17:49:03.060327 64.7.nnn.xx.2908 > 192.165.59.27.135: S [tcp sum ok] 1817576289:1817576289(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8599, len 48)
17:49:03.063144 64.7.nnn.yyy.2180 > 64.79.202.185.135: S [tcp sum ok] 714401726:714401726(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51190, len 48)
17:49:03.065734 64.7.nnn.xx.2909 > 192.165.59.5.135: S [tcp sum ok] 1816314806:1816314806(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8600, len 48)
17:49:03.067330 64.7.nnn.yyy.2181 > 64.79.202.186.135: S [tcp sum ok] 714461796:714461796(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51191, len 48)
17:49:03.069626 64.7.nnn.yyy.2182 > 64.79.202.187.135: S [tcp sum ok] 714500169:714500169(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51192, len 48)
17:49:03.070322 64.7.nnn.xx.2910 > 192.165.59.40.135: S [tcp sum ok] 1818270550:1818270550(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8601, len 48)
17:49:03.071948 64.7.nnn.yyy.2183 > 64.79.202.188.135: S [tcp sum ok] 714547026:714547026(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51193, len 48)
17:49:03.073931 64.7.nnn.yyy.2184 > 64.79.202.189.135: S [tcp sum ok] 714590946:714590946(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51194, len 48)
17:49:03.074622 64.7.nnn.xx.2911 > 192.165.59.94.135: S [tcp sum ok] 1821345456:1821345456(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8602, len 48)
17:49:03.076136 64.7.nnn.yyy.2185 > 64.79.202.190.135: S [tcp sum ok] 714627718:714627718(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51195, len 48)
17:49:03.078367 64.7.nnn.yyy.2186 > 64.79.202.191.135: S [tcp sum ok] 714683447:714683447(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51196, len 48)
17:49:03.079172 64.7.nnn.xx.2912 > 192.165.59.110.135: S [tcp sum ok] 1822239874:1822239874(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8603, len 48)
17:49:03.080439 64.7.nnn.yyy.2187 > 64.79.202.192.135: S [tcp sum ok] 714717197:714717197(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51197, len 48)
17:49:03.082567 64.7.nnn.yyy.2188 > 64.79.202.193.135: S [tcp sum ok] 714762755:714762755(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51198, len 48)
17:49:03.083528 64.7.nnn.xx.2913 > 192.165.59.88.135: S [tcp sum ok] 1821052527:1821052527(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8604, len 48)
17:49:03.084820 64.7.nnn.yyy.2189 > 64.79.202.194.135: S [tcp sum ok] 714822768:714822768(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51199, len 48)
17:49:03.088015 64.7.nnn.xx.2914 > 192.165.59.82.135: S [tcp sum ok] 1820740362:1820740362(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8605, len 48)
17:49:03.088262 64.7.nnn.yyy.2190 > 64.79.202.195.135: S [tcp sum ok] 714857358:714857358(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51200, len 48)
17:49:03.090226 64.7.nnn.yyy.2191 > 64.79.202.196.135: S [tcp sum ok] 714904231:714904231(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51201, len 48)
17:49:03.092357 64.7.nnn.yyy.2192 > 64.79.202.197.135: S [tcp sum ok] 714953130:714953130(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51202, len 48)
17:49:03.095218 64.7.nnn.yyy.2193 > 64.79.202.198.135: S [tcp sum ok] 714989826:714989826(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51203, len 48)
17:49:03.096149 64.7.nnn.xx.2915 > 192.165.59.31.135: S [tcp sum ok] 1817809793:1817809793(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8606, len 48)
17:49:03.096945 64.7.nnn.yyy.2194 > 64.79.202.199.135: S [tcp sum ok] 715037445:715037445(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51204, len 48)
17:49:03.098951 64.7.nnn.yyy.2195 > 64.79.202.200.135: S [tcp sum ok] 715072042:715072042(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51205, len 48)
17:49:03.100318 64.7.nnn.xx.2916 > 192.165.59.104.135: S [tcp sum ok] 1821850975:1821850975(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8607, len 48)
17:49:03.101040 64.7.nnn.yyy.2196 > 64.79.202.201.135: S [tcp sum ok] 715136508:715136508(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51206, len 48)
17:49:03.102514 64.7.nnn.zzz.4419 > 192.169.241.250.135: S [tcp sum ok] 2967312160:2967312160(0) win 16384 <mss 1440,nop,nop,sackOK> (DF) (ttl 127, id 50558, len 48)
17:49:03.103668 64.7.nnn.yyy.2197 > 64.79.202.202.135: S [tcp sum ok] 715185482:715185482(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51207, len 48)
17:49:03.104441 64.7.nnn.xx.2917 > 192.165.59.44.135: S [tcp sum ok] 1818449489:1818449489(0) win 65535 <mss 1452,nop,nop,sackOK> (DF) (ttl 126, id 8608, len 48)
17:49:03.104665 64.7.nnn.zzz.4420 > 192.169.241.251.135: S [tcp sum ok] 2967371300:2967371300(0) win 16384 <mss 1440,nop,nop,sackOK> (DF) (ttl 127, id 50559, len 48)
17:49:03.105518 64.7.nnn.yyy.2198 > 64.79.202.203.135: S [tcp sum ok] 715218320:715218320(0) win 16384 <mss 1414,nop,nop,sackOK> (DF) (ttl 127, id 51208, len 48)
17:49:03.106794 64.7.nnn.zzz.4421 > 192.169.241.252.135: S [tcp sum ok] 2967423885:2967423885(0) win 16384 <mss 1440,nop,nop,sackOK> (DF) (ttl 127, id 50560, len 48)
And this is pretty unusual for our network. I'm still not clear if this is
just a coincidental mass 135/tcp port scan, from numerous hosts, or if its a
worm -- but I'm tending towards the latter.
Secondly, what mailing lists do IDS/incidents folks hang out on these days?
incidents@...urityfocus.com is the only one I'm aware of, but it's
completely non-responsive right now (I'm subscribed, but not getting any
posts, and my posts don't seem to be making it through). We've had a couple
of incidents lately that it would be nice to get an external set of eyes on,
but FD is so full with its usual political bantering that I wouldn't risk
bringing it back on-topic. ;)
Powered by blists - more mailing lists