[nsp-sec] Constant scanning from the same /24 in AS4837

Chris Morrow morrowc at ops-netman.net
Tue Sep 30 11:13:44 EDT 2008 


On Tue, 30 Sep 2008, Gong, Yiming wrote:

> Actually most hosts behind this subnet started to scan port 1026 and
> 1027 ever since July this year, the following shows the statistic number
> from my small darknet.
>
> And you can see the IPs are sequential, from 195 to 211, and then from
> 227 to 235.
>

are you seeing these from the interface in front of this subnet? or is 
this just 'my darknet too got scanned' ?

I ask, because most often this really is spoofed though I never did figure 
out why they spoof chinese sources when they do messenger spams...

-chris

>>> ----------- nsp-security Confidential --------
>>>
>>> Folks,
>>>
>>> For the last month, we've been seeing udp scans of our
>> networks on ports 1026
>>> and 1027 from various hosts in the 202.97.238/24 network.
>> A sample from last
>>> night:
>>>
>>> 202.97.238.195 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.197 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.199 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.201 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.206 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.207 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.210 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.211 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.226 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.230 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.231 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.233 (not registered) : ports : 1026/udp 1027/udp
>>> 202.97.238.235 (not registered) : ports : 1026/udp 1027/udp
>>
>> grab the content, I'd bet it has messenger spam in it :( (pop-up spam
>> whatever the silly 'send a message to your lan-mate' crap is)
>>
>>>
>>> It's not particularly bothersome, but after a month, maybe
>> they want to quit
>>> it?  Does anyone have a contact there who can bop them on the head?
>>
>> I doubt it's actually coming from there :( most of this is
>> spoofed since
>> it's udp and one-way is all that matters... grab some full
>> packets if you
>> can.
>>
>> -Chris
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>

More information about the nsp-security mailing list