[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Joel Rosenblatt
joel at columbia.edu
Tue Apr 15 12:06:45 EDT 2008
Here are some current (right now) counts
[joel at geoduck ~]$ /cflow/bin/audit/port_query.pl -p2954 -r6 -n10
# --- ---- ---- Report Information --- --- ---
#
# Title: Outgoing Scanning Sources
# Fields: Total
# Symbols: Disabled
# Sorting: Descending Field 1
# Name: Source IP
#
# Args: flow-stat -f9 -S1 -T Outgoing Scanning Sources
#
#
# IPaddr flows octets packets
#
128.59.48.6 9 10962 140
128.59.20.226 7 3945 36
128.59.48.36 5 86652 89
160.39.137.184 5 3092 25
160.39.201.175 5 781 12
128.59.176.131 4 1975 20
128.59.48.24 3 38679 47
128.59.59.177 3 512 11
128.59.199.87 3 811 16
160.39.4.62 3 1667 13
160.39.240.66 3 340 7
160.39.80.42 2 1662 15
128.59.28.83 2 184 4
156.111.139.12 2 452 8
160.39.201.69 2 3643425 2831
160.39.54.156 2 340 6
160.39.138.139 2 765 9
128.59.84.23 2 3496 10
128.59.48.4 2 1744 14
128.59.20.228 2 736 7
160.39.96.47 2 2818 15
128.59.64.30 1 96388 69
128.59.59.89 1 138 3
128.59.111.11 1 192210 132
128.59.178.184 1 262 5
# --- ---- ---- Report Information --- --- ---
#
# Title: Outgoing Scanning Recipient ASNs
# Fields: Total
# Symbols: Disabled
# Sorting: Descending Field 1
# Name: Destination AS
#
# Args: flow-stat -f20 -S1 -T Outgoing Scanning Recipient ASNs
#
#
# dst AS flows octets packets
#
4134 9 362777 276
12322 5 3646377 2853
3462 4 895 12
9800 3 859 11
9318 3 3718 60
8167 3 564 10
7482 3 1667 13
4766 3 22016 27
4538 3 322 7
3320 3 385 8
33491 2 782 8
29738 2 140 3
20057 2 184 4
15169 2 86330 82
9498 2 733 10
4808 2 577 8
4788 2 16987 27
35908 1 1045 13
34383 1 480 5
33657 1 599 7
29687 1 289 5
23898 1 437 5
23700 1 138 3
21844 1 1312 16
20115 1 769 5
# --- ---- ---- Report Information --- --- ---
#
# Title: Incoming Scanning Sources
# Fields: Total
# Symbols: Disabled
# Sorting: Descending Field 1
# Name: Source IP
#
# Args: flow-stat -f9 -S1 -T Incoming Scanning Sources
#
#
# IPaddr flows octets packets
#
125.118.56.251 24 3910 85
86.140.154.46 4 3843 76
72.14.247.83 4 2110 25
64.233.185.83 4 2435 24
66.102.1.91 3 44346 40
87.11.3.52 2 280 6
212.58.226.20 2 18832 17
204.11.109.22 2 8827 10
216.52.175.141 2 6040 13
66.249.83.83 2 4085 10
61.135.151.77 2 92 2
77.247.176.154 2 1555 10
68.253.191.194 1 138 3
67.107.161.4 1 30094 30
219.152.120.80 1 48 1
211.234.241.139 1 6138 9
8.6.12.121 1 5107886 3410
216.73.87.52 1 1908 4
211.206.120.106 1 2356 6
208.111.129.11 1 119326 82
69.28.154.242 1 775 4
209.170.120.43 1 545 4
77.247.176.134 1 413 5
129.206.100.212 1 46 1
67.228.59.227 1 2307 7
# --- ---- ---- Report Information --- --- ---
--On Tuesday, April 15, 2008 5:29 PM +0200 Rolf Gartmann <rolf.gartmann at switch.ch> wrote:
> ----------- nsp-security Confidential --------
>
> from the fingers of jose nazario on 15.4.2008 17:14 Uhr:
>> ----------- nsp-security Confidential --------
>>
>> Following publication of the exploit code for the HP OV NMM buffer overflow
>> on TCP/2954, we're seeing a spike in attackers now for this port. This
>> follows a smaller bump last week when the code was a) not working well and
>> b) possibly working exploit code was not so public. Via ATLAS, here are the
>> top hosts scanning:
>>
>> Host Bytes per subnet Percentage
>> 85.25.146.193 2.09 kB 84.6%
>> 80.233.240.24 186.94 B 7.6%
>> 62.77.76.167 60.20 B 2.4%
>> 195.246.222.16 53.74 B 2.2%
>> 193.93.27.17 37.02 B 1.5%
>> 89.146.16.26 28.20 B 1.1%
>> 80.123.116.21 7.26 B 0.3%
>> 62.244.213.210 5.34 B 0.2%
>> 212.241.176.186 0.33 B 0.0%
>> 85.196.83.12 0.16 B 0.0%
>> Other 0 B 0.0%
>> This is all since 01:50 UTC today.
>
> I can throw in some stats from our Darkspace:
>
> 2008-04-10 11:10 29658
> 2008-04-10 11:15 37669
> 2008-04-10 11:20 27340
> 2008-04-11 00:45 7706
> 2008-04-11 00:50 11555
> 2008-04-11 01:00 10340
> 2008-04-11 02:10 78
> 2008-04-15 07:40 11262
> 2008-04-15 07:45 18584
>
> checking from 2008-04-08 till now, numbers are pkts/5min
> (timestamps UTC+2)
>
> -
> Rolf
>
>> Exploit code is here:
>>
>> http://www.milw0rm.com/exploits/5445
>>
>> - jose
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
> PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> http://www.switch.ch/cert/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list