[nsp-sec] SYN-ACK backscatter from 60.191.221.41:7000
Rob Thomas
robt at cymru.com
Wed Apr 16 22:16:53 EDT 2008
Hi, Michael.
It's IRC-based hate time on the Internet! :)
>> AS | IP | AS Name
>> 4134 | 60.191.221.41 | CHINANET-BACKBONE No.31,Jin-rong Street
Some miscreants took umbrage with this Windows box; more likely they
were very angry with the miscreant using it as an IRC bounce or proxy.
They were port scanning it on 2008-04-16 18:14:03 UTC. My guess is this
is some IRC-based war of words and packets. l33t l33t!
Looks like the attack began on 2008-04-15 UTC.
Flows Date UTC
107 2008-04-13
1793 2008-04-14
888666 2008-04-15
5745738 2008-04-16
170444 2008-04-17
It began at roughly 2008-04-15 05:00:06 UTC and really hit its stride at
roughly 2008-04-16 16:00:00 UTC.
Flows Hour UTC 2008-04-15
196 00
251 01
248 02
251 03
399 04
96784 05
71930 06
25441 07
19989 08
48781 09
46374 10
40718 11
41576 12
42410 13
41857 14
43305 15
43513 16
47456 17
42951 18
47727 19
47286 20
41079 21
47644 22
50500 23
Flows Hour UTC 2008-04-16
50779 00
50857 01
48596 02
46331 03
45777 04
82284 05
52727 06
46043 07
48433 08
52527 09
49003 10
73790 11
65940 12
61947 13
84779 14
69450 15
97258 16
397240 17
773230 18
750184 19
922989 20
897201 21
882603 22
95770 23
Flows Hour UTC 2008-04-17
110337 00
60107 01
The sampled flows for 2008-04-16 UTC alone point to at least 337,441,460
bytes of attack traffic.
> 4134 | 121.14.151.239 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134 | 58.221.28.35 | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837 | 218.61.11.32 | CHINA169-BACKBONE CNCGROUP China169 Backbone
Bupkes on these Windows hosts, sorry.
Based on traffic patterns all four IPs have TCP 7000 open and in use.
That explains the port selection.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list