 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Hi folks! This is a follow-up for my post dated December 19th 2000, I have some new findings. This is a bit later to my first post, but I wanted to do some research before releasing any results. :-) AHere we go: a) As Rusell Fulton said in a reply, most of origin IP's came from Korea, others sources were Brazil, USA, Canada among others. b) As Rusell Fulton pointed too, mosts of netscans started at "11" , instead of "1". A strange thing is some scans started at "96" and ended at "111". c) Delay between packets was 5 seconds. Sometimes delay was 6 seconds, but I think this was due network congestion, and not a pattern in scans d) Almost all scans took 20 minutes (average) to scan a class C net (remember, from 11 to 254 this case). e) From my logs, it seems like scans started at Dec/14/2000 22:52:27 CST , ending Dec/27/2000 09:54:03 CST (note ":52:27" and "54:03" relation. I'm guessing if this hour is significant for some country like Korea, or if this could mean an automated scan). ;-) f) around 420 unique ip numbers were originating scannings. I tryed to identify some "double" scans originated from same IP without success. g) Jose Nazario pointed out the possible relationship between this scan and some sort of underground audit project. I browsed the web and found this URL: http://www.nwo.net/iap/ This is related (almost the same info :-P) to the URL he gave us. But this page don't say anything about NetBus scannings. (or some other trojans associated to 12345 port, as listed in http://www.simovits.com/nyheter9902.html) I couldn't find any underground audit project related to this... (using common search engines) :-( h) Unfortunately, due internal management problems, I couldn't reconfigure my IDS to get more detailed info about this, and all info was extracted using as only source my firewall logs (sorry) :-( i) Due the large numbert of Ip's, try to contact responsible people for each one network involved, I didn't do any contact to network managers at the other side, sorry. j) As a result of this (too), I wrote a "quick and dirty" korn shell script to find "contacts" for any given IP, simply doing queries to whois databases. I usually do this manually, but do this for more than 400 ips one-by-one, it really hard to me. :-P I'm attaching to this message 3 files: ipes:- A list of ip numbers from which scans were originated results:- the results for contacts using "ipes" file as source for the script I talked about before. parser.ksh:- the script. I reviewed the charter for this list looking for something about attachments, and found nothing, so I guess it's Ok to send some short (zipped) attachments. ;-) Hope this helps to someone. :-) Best regards and happy 2001. - -- Martin Humberto Hoz Salvador Information Security Consultant (ISS ICU, Check Point CCSE) C I T I Sendero Sur 285 Col. Contry, Monterrey, Nuevo Leon 64860, MEXICO Phone: +(52)(8) 357-2267 x139 Fax: +(52)(8) 357-8047 E-mail: [EMAIL PROTECTED] WWW: http://www.citi.com.mx PGPKey ID: 0x0454E8D9 ICQ Number: 31631540 GIT d- s:(+:+) a-- C+(++++)>$ SILH++++ P++ L+++ E W++ N+ o-- K- w O M V PS+ PE++ Y+ PGP++ t 5 X+ R tv- b+ DI+ D++ G++ e++ h-- r+ y++ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1i Comment: Public key at http://www.citi.com.mx/~mhoz/pgpkey.html iQCVAwUBOlURrASuTAgEVOjZAQFzcAQAnLtSK0eOJorsuLYWjcpHPb90WlbGTwWb I2LH0uJpB9Qte1FYwIQP7/iqxlz3iXxu2in9iicb15SQPDvg3nthJkV64ZpsSthb CTr8zIgP6nKek8gz9IqPa19oQ8qLxaL+eo/K+/+qgPQZMdLSi7kJ4ARFh0G/D6V8 wOQLC92Ly00= =eakQ -----END PGP SIGNATURE----- Attachment: zip00000.zip Description: "files.zip" Attachment: Attachment:
bin00001.bin Attachment:
bin00000.bin
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.