[nsp-sec] Constant scanning from the same /24 in AS4837

Gong, Yiming yiming.gong at xo.com
Tue Sep 30 10:14:54 EDT 2008 

Actually most hosts behind this subnet started to scan port 1026 and
1027 ever since July this year, the following shows the statistic number
from my small darknet.

And you can see the IPs are sequential, from 195 to 211, and then from
227 to 235.

+----------------+-----------+---------------------+--------------------
-+
| sip            | dport     | first seen          | last seen
|
+----------------+-----------+---------------------+--------------------
-+
| 202.97.238.195 | 1027,1026 | 2008-07-29 04:20:02 | 2008-09-30 08:35:02
| 
| 202.97.238.196 | 1026,1027 | 2008-07-30 04:05:01 | 2008-09-30 07:15:02
| 
| 202.97.238.197 | 1027,1026 | 2008-07-28 21:20:01 | 2008-09-30 07:50:02
| 
| 202.97.238.198 | 1027,1026 | 2008-07-29 21:05:03 | 2008-09-30 08:00:02
| 
| 202.97.238.199 | 1026,1027 | 2008-07-30 08:05:01 | 2008-09-30 05:25:01
| 
| 202.97.238.200 | 1027,1026 | 2008-07-29 22:15:02 | 2008-09-30 07:30:01
| 
| 202.97.238.201 | 1026,1027 | 2008-07-30 04:00:03 | 2008-09-30 00:50:02
| 
| 202.97.238.202 | 1027,1026 | 2008-07-29 08:50:02 | 2008-09-30 06:20:02
| 
| 202.97.238.203 | 1027,1026 | 2008-08-21 23:05:02 | 2008-09-29 21:25:03
| 
| 202.97.238.204 | 1026,1027 | 2008-08-01 19:50:02 | 2008-09-30 05:05:02
| 
| 202.97.238.205 | 1027,1026 | 2008-08-25 02:50:06 | 2008-09-30 06:10:01
| 
| 202.97.238.206 | 1026,1027 | 2008-08-01 15:40:02 | 2008-09-30 08:25:02
| 
| 202.97.238.207 | 1027,1026 | 2008-07-31 02:15:01 | 2008-09-30 05:00:02
| 
| 202.97.238.208 | 1027,1026 | 2008-07-31 02:10:01 | 2008-09-28 19:00:02
| 
| 202.97.238.209 | 1026,1027 | 2008-07-31 01:45:02 | 2008-09-29 22:10:01
| 
| 202.97.238.210 | 1027,1026 | 2008-07-31 03:05:02 | 2008-09-30 02:10:02
| 
| 202.97.238.211 | 1027,1026 | 2008-07-31 03:10:02 | 2008-09-28 19:00:02
| 
| 202.97.238.226 | 1026,1027 | 2008-07-28 21:45:02 | 2008-09-30 08:00:02
| 
| 202.97.238.227 | 1026      | 2008-07-31 01:15:02 | 2008-07-31 03:35:02
| 
| 202.97.238.228 | 1027,1026 | 2008-07-30 02:10:01 | 2008-09-30 03:25:02
| 
| 202.97.238.229 | 1026,1027 | 2008-07-29 03:50:01 | 2008-09-30 04:40:02
| 
| 202.97.238.230 | 1026,1027 | 2008-07-29 00:30:01 | 2008-09-30 05:00:02
| 
| 202.97.238.231 | 1026,1027 | 2008-07-29 02:10:02 | 2008-09-30 07:45:01
| 
| 202.97.238.232 | 1026,1027 | 2008-08-07 23:20:01 | 2008-09-30 00:35:02
| 
| 202.97.238.233 | 1027,1026 | 2008-07-31 20:30:02 | 2008-09-30 08:00:02
| 
| 202.97.238.234 | 1027,1026 | 2008-07-28 23:15:02 | 2008-09-30 07:25:02
| 
| 202.97.238.235 | 1026,1027 | 2008-07-29 10:40:02 | 2008-09-30 07:05:02
| 
+----------------+-----------+---------------------+--------------------
-+
 
Regards,
 
Yiming
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Chris Morrow
> Sent: Tuesday, September 30, 2008 8:14 AM
> To: Daniel Adinolfi
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Constant scanning from the same /24 in AS4837
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> On Tue, 30 Sep 2008, Daniel Adinolfi wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > Folks,
> >
> > For the last month, we've been seeing udp scans of our 
> networks on ports 1026 
> > and 1027 from various hosts in the 202.97.238/24 network.  
> A sample from last 
> > night:
> >
> > 202.97.238.195 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.197 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.199 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.201 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.206 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.207 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.210 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.211 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.226 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.230 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.231 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.233 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.235 (not registered) : ports : 1026/udp 1027/udp
> 
> grab the content, I'd bet it has messenger spam in it :( (pop-up spam 
> whatever the silly 'send a message to your lan-mate' crap is)
> 
> >
> > It's not particularly bothersome, but after a month, maybe 
> they want to quit 
> > it?  Does anyone have a contact there who can bop them on the head?
> 
> I doubt it's actually coming from there :( most of this is 
> spoofed since 
> it's udp and one-way is all that matters... grab some full 
> packets if you 
> can.
> 
> -Chris
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list