[nsp-sec] Merak Mail server, TCP/32000 scanning

Smith, Donald Donald.Smith at qwest.com
Wed Sep 17 16:19:07 EDT 2008 

The only matchup I get in Yiming's list out of my top 25 scanners today
was:
138 210.65.220.250. None of the top talkers Jose identified showed up in
my top 25.


Here is today's top talkers for tcp/32000.
 383 213.8.116.213
 277 65.13.40.121
 174 74.14.105.162
 138 210.65.220.250
 137 12.105.216.80
 109 74.232.16.244
  90 79.134.62.143
  90 143.238.149.189
  89 74.128.205.116
  79 134.129.13.116
  77 66.72.194.50
  70 212.24.224.148
  69 70.150.238.130
  63 74.171.130.103
  63 59.140.59.226


Besides these I had a couple of qwest customers that were talking on
tcp/32000.
They weren't scanning they were talking to just a few hosts. Long
sessions with lots of packets. That didn't appear to be attempts to
compromise (unless it takes tons of packets with widely varying packet
sizes to compromise this thing).

 
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Yiming Gong
> Sent: Wednesday, September 17, 2008 11:32 AM
> To: Jose Nazario
> Cc: Rob Thomas; nsp-security at puck.nether.net; Chris Calvert
> Subject: Re: [nsp-sec] Merak Mail server, TCP/32000 scanning
> 
> ----------- nsp-security Confidential --------
> 
> I took a look at my scan alert table, and the following are 
> all the IPs
> which were tagged as big SYN scanner on port 32000 in past 30 
> days, and
> it appears 212.175.229.194 and 62.193.229.149 are also on Jose's list.
> 
> +-----------------+---------------------------+--------------+
> | sip             | number of scanned targets | scanned port |
> +-----------------+---------------------------+--------------+
> | 72.55.188.177   |                      9646 | 32000        |
> | 216.127.94.94   |                      5170 | 32000        |
> | 212.179.112.221 |                      4255 | 32000        |
> | 71.40.14.117    |                      3804 | 32000        |
> | 65.39.135.245   |                      3613 | 32000        |
> | 212.175.229.194 |                      3587 | 32000        |
> | 75.125.129.235  |                      2827 | 32000        |
> | 62.240.110.196  |                      2769 | 32000        |
> | 75.125.185.130  |                      1640 | 32000        |
> | 61.62.232.195   |                      1442 | 32000        |
> | 210.65.220.250  |                      1391 | 32000        |
> | 62.193.229.149  |                      1271 | 32000        |
> | 74.55.92.2      |                      1192 | 32000        |
> | 64.34.166.25    |                       551 | 32000        |
> | 216.185.43.190  |                       262 | 32000        |
> +-----------------+---------------------------+--------------+
> 
> Regards!
> 
> Yiming
> 
> 
> 
> Jose Nazario wrote:
> > ----------- nsp-security Confidential --------
> > 
> > hosts that ATLAS has seen scanning on TCP/32000 in the past month,
> > ranked by bytes seen from.
> > 
> > 29255   | 212.24.224.148   | ZAJIL-AS ZAJIL Autonomous 
> Number in Saudi
> > Arabia
> > 33287   | 74.94.48.97      | DNEO-OSP4 - Comcast Cable 
> Communications, Inc.
> > 28963   | 62.193.229.149   | IPNG-UK-AS Amenworld Germany
> > 42868   | 91.191.169.108   | NIOBE Niobe Bilisim Backbone AS
> > 9121    | 212.175.229.194  | TTNET TTnet Autonomous System
> > 4766    | 222.122.20.135   | KIXS-AS-KR Korea Telecom
> > 21844   | 74.55.92.2       | THEPLANET-AS - ThePlanet.com Internet
> > Services, Inc.
> > 6939    | 65.19.131.226    | HURRICANE - Hurricane Electric, Inc.
> > 6128    | 67.81.225.110    | CABLE-NET-1 - Cablevision Systems Corp.
> > 21844   | 64.246.48.73     | THEPLANET-AS - ThePlanet.com Internet
> > Services, Inc.
> > 
> > that's it.
> > 
> > -------------------------------------------------------------
> > jose nazario, ph.d.     <jose at arbor.net>
> > security researcher, office of the CTO,  arbor networks
> > v: (734) 821 1427           http://asert.arbornetworks.com/
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of 
> the nsp-security
> > community. Confidentiality is essential for effective 
> Internet security
> > counter-measures.
> > _______________________________________________
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list