[nsp-sec] TCP/1533 increase

Neil Long neil.long at cymru.com
Thu May 29 18:10:11 EDT 2008 

On 27 May 2008, at 15:07, Jose Nazario wrote:

> ----------- nsp-security Confidential --------
>
> SANS ISC is reporting a rise in TCP/1533 scanning in the past few  
> days. it
> may be related to a new, pre-auth issue in Lotus Sametime:
>
> http://www.zerodayinitiative.com/advisories/ZDI-08-028/
>
> here's ATLAS' view of the top sources in the past 24h for this  
> service:
>
>    	88.33.200.204  	99.0%
>  	60.190.114.222 	1%
>
> we're seeing a similar pattern than the ISC is seeing ...
>


Hi Jose

I delayed on replying until I saw the scans start up again yesterday  
but you may find the following interesting.

A scan for tcp-1733 appeared back on May 11th

133.96.71.195.in-addr.arpa domain name pointer  
w03p-1040.srv.mediaways.net.

    AS      | IP               | BGP Prefix          | CC | Registry  
| Allocated  | AS Name
    6805    | 195.71.96.133    | 195.71.0.0/16       | DE | ripencc   
| 1997-01-28 | TDDE-ASN1 Telefonica Deutschland Autonomous System

This was picked up in 3 darknet spaces and puzzled me (OK bugged me)  
as I couldn't find much of any kind of explanation.

Anyway - I saw the tcp-1533 scans start on the 23rd but it faded by  
the 25th ( couple seen on the 26th) and the Bugtraq posting neatly  
explained 1533 and I am guessing 'someone' misheard 1533 as 1733 and  
thought to get ahead of the crowd. I assume these are recons rather  
than active exploits and that the bad guys also know how to run  
databases and have the candidates ready and waiting for when an  
exploit comes out.

When your posting came along pointing out SANS was discussing this I  
was not surprised to see scans pick up again on the 28th.

Here are the IPs I have seen so far (today's data won't be ready  
before I head to bed :-).

These are first date seen timestamps (GMT=0)

7018    | 12.156.164.14    | 2008-05-28 07:17:4700 | ATT-INTERNET4 -  
AT&T WorldNet Services
7018    | 12.156.164.31    | 2008-05-25 22:01:1300 | ATT-INTERNET4 -  
AT&T WorldNet Services
2819    | 62.77.76.167     | 2008-05-23 11:00:4800 | GTSCZ GTS NOVERA  
(GTS CZ)
42612   | 82.98.141.34     | 2008-05-24 11:16:2600 | DINAHOSTING-AS  
ASN de Dinahosting SL
42612   | 82.98.142.2      | 2008-05-26 14:37:2400 | DINAHOSTING-AS  
ASN de Dinahosting SL
3292    | 83.90.254.156    | 2008-05-24 10:25:4900 | TDC TDC Data  
Networks
31103   | 84.19.184.81     | 2008-05-28 14:44:1100 | KEYWEB-AS Keyweb AG
34513   | 85.198.32.226    | 2008-05-22 22:22:4400 | TSTONLINE-AS  
TSTonline connection provider
3269    | 88.33.200.204    | 2008-05-25 07:42:4800 | ASN-IBSNAZ  
TELECOM ITALIA
34619   | 89.19.4.74       | 2008-05-24 18:43:2600 | CIZGI Cizgi  
Telekomunikasyon Autonomous System
34619   | 89.19.6.178      | 2008-05-24 10:16:2600 | CIZGI Cizgi  
Telekomunikasyon Autonomous System
16276   | 91.121.66.222    | 2008-05-28 15:42:0200 | OVH OVH
5391    | 195.29.45.19     | 2008-05-22 23:30:2500 | T-HT T-Com  
Croatia Internet network
15746   | 195.246.222.16   | 2008-05-23 00:14:0600 | ASN-MERCURIO72
7796    | 216.240.150.178  | 2008-05-24 13:31:3800 | ATMLINK -  
ATMLINK, INC.
9121    | 217.195.203.146  | 2008-05-25 00:40:0900 | TTNET TTnet  
Autonomous System

Targeted darknet space not included of course :-)

Cheers
Neil
--
Neil Long, Team Cymru
http://www.cymru.com | +1 312 924 4022 | neil at cymru.com

More information about the nsp-security mailing list