[nsp-sec] Constant scanning from the same /24 in AS4837

Tue Sep 30 20:45:33 EDT 2008

Was this UDP or tcp?
Were all the packets the same size but too large to be a scan?
If so this is probably spoofed windows messenger spam.

donald.smith at qwest.com giac

________________________________

From: nsp-security-bounces at puck.nether.net on behalf of Gong, Yiming
Sent: Tue 9/30/2008 8:14 AM
To: Chris Morrow; Daniel Adinolfi
Cc: nsp-security NSP
Subject: Re: [nsp-sec] Constant scanning from the same /24 in AS4837

----------- nsp-security Confidential --------

Actually most hosts behind this subnet started to scan port 1026 and
1027 ever since July this year, the following shows the statistic number
from my small darknet.

And you can see the IPs are sequential, from 195 to 211, and then from
227 to 235.

+----------------+-----------+---------------------+--------------------
-+
| sip            | dport     | first seen          | last seen
|
+----------------+-----------+---------------------+--------------------
-+
| 202.97.238.195 | 1027,1026 | 2008-07-29 04:20:02 | 2008-09-30 08:35:02
|
| 202.97.238.196 | 1026,1027 | 2008-07-30 04:05:01 | 2008-09-30 07:15:02
|
| 202.97.238.197 | 1027,1026 | 2008-07-28 21:20:01 | 2008-09-30 07:50:02
|
| 202.97.238.198 | 1027,1026 | 2008-07-29 21:05:03 | 2008-09-30 08:00:02
|
| 202.97.238.199 | 1026,1027 | 2008-07-30 08:05:01 | 2008-09-30 05:25:01
|
| 202.97.238.200 | 1027,1026 | 2008-07-29 22:15:02 | 2008-09-30 07:30:01
|
| 202.97.238.201 | 1026,1027 | 2008-07-30 04:00:03 | 2008-09-30 00:50:02
|
| 202.97.238.202 | 1027,1026 | 2008-07-29 08:50:02 | 2008-09-30 06:20:02
|
| 202.97.238.203 | 1027,1026 | 2008-08-21 23:05:02 | 2008-09-29 21:25:03
|
| 202.97.238.204 | 1026,1027 | 2008-08-01 19:50:02 | 2008-09-30 05:05:02
|
| 202.97.238.205 | 1027,1026 | 2008-08-25 02:50:06 | 2008-09-30 06:10:01
|
| 202.97.238.206 | 1026,1027 | 2008-08-01 15:40:02 | 2008-09-30 08:25:02
|
| 202.97.238.207 | 1027,1026 | 2008-07-31 02:15:01 | 2008-09-30 05:00:02
|
| 202.97.238.208 | 1027,1026 | 2008-07-31 02:10:01 | 2008-09-28 19:00:02
|
| 202.97.238.209 | 1026,1027 | 2008-07-31 01:45:02 | 2008-09-29 22:10:01
|
| 202.97.238.210 | 1027,1026 | 2008-07-31 03:05:02 | 2008-09-30 02:10:02
|
| 202.97.238.211 | 1027,1026 | 2008-07-31 03:10:02 | 2008-09-28 19:00:02
|
| 202.97.238.226 | 1026,1027 | 2008-07-28 21:45:02 | 2008-09-30 08:00:02
|
| 202.97.238.227 | 1026      | 2008-07-31 01:15:02 | 2008-07-31 03:35:02
|
| 202.97.238.228 | 1027,1026 | 2008-07-30 02:10:01 | 2008-09-30 03:25:02
|
| 202.97.238.229 | 1026,1027 | 2008-07-29 03:50:01 | 2008-09-30 04:40:02
|
| 202.97.238.230 | 1026,1027 | 2008-07-29 00:30:01 | 2008-09-30 05:00:02
|
| 202.97.238.231 | 1026,1027 | 2008-07-29 02:10:02 | 2008-09-30 07:45:01
|
| 202.97.238.232 | 1026,1027 | 2008-08-07 23:20:01 | 2008-09-30 00:35:02
|
| 202.97.238.233 | 1027,1026 | 2008-07-31 20:30:02 | 2008-09-30 08:00:02
|
| 202.97.238.234 | 1027,1026 | 2008-07-28 23:15:02 | 2008-09-30 07:25:02
|
| 202.97.238.235 | 1026,1027 | 2008-07-29 10:40:02 | 2008-09-30 07:05:02
|
+----------------+-----------+---------------------+--------------------
-+

Regards,

Yiming

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Chris Morrow
> Sent: Tuesday, September 30, 2008 8:14 AM
> To: Daniel Adinolfi
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] Constant scanning from the same /24 in AS4837
>
> ----------- nsp-security Confidential --------
>
>
>
> On Tue, 30 Sep 2008, Daniel Adinolfi wrote:
>
> > ----------- nsp-security Confidential --------
> >
> > Folks,
> >
> > For the last month, we've been seeing udp scans of our
> networks on ports 1026
> > and 1027 from various hosts in the 202.97.238/24 network. 
> A sample from last
> > night:
> >
> > 202.97.238.195 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.197 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.199 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.201 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.206 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.207 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.210 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.211 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.226 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.230 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.231 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.233 (not registered) : ports : 1026/udp 1027/udp
> > 202.97.238.235 (not registered) : ports : 1026/udp 1027/udp
>
> grab the content, I'd bet it has messenger spam in it :( (pop-up spam
> whatever the silly 'send a message to your lan-mate' crap is)
>
> >
> > It's not particularly bothersome, but after a month, maybe
> they want to quit
> > it?  Does anyone have a contact there who can bop them on the head?
>
> I doubt it's actually coming from there :( most of this is
> spoofed since
> it's udp and one-way is all that matters... grab some full
> packets if you
> can.
>
> -Chris
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.