[nsp-sec] Report of successful WINS (ms09-039) compromise
Yiming Gong
yiming.gong at xo.com
Mon Aug 17 17:37:56 EDT 2009
For hosts in 221.214.82.18x netblock, two of them started to hit my
darknet few days ago, and besides dst port 42, host 221.214.82.186 also
scanned port 45, all used source port 6000 though.
quick summary ( central time)
+----------------+---------------------+----------+----------+----------+
| sip | first time seen | Sport(s) | Dport(s) | count(*) |
+----------------+---------------------+----------+----------+----------+
| 221.214.82.186 | 2009-08-12 12:20:03 | 6000 | 42,45 | 1088 |
| 221.214.82.185 | 2009-08-13 08:10:03 | 6000 | 42 | 2 |
+----------------+---------------------+----------+----------+----------+
Yiming
On 08/17/2009 04:10 PM, Rob Thomas wrote:
> ----------- nsp-security Confidential --------
>
> Hey, Gabe.
>
> Thanks for the heads-up!
>
>> 221.214.82.183
>
> We see 221.214.82.183 begin scans for TCP 42 on or about 2009-08-15
> 09:57:48 UTC. Those scans continue.
>
> Expanding the query to 221.214.82.0/24, we also see TCP 42 scans from:
>
> 221.214.82.186 on 2009-08-12 17:07:29 UTC
> 221.214.82.185 on 2009-08-16 07:09:40 UTC
> 221.214.82.186 on 2009-08-17 14:11:58 UTC
>
> The source port seems to be a consistent TCP 6000. That might help
> those of you making flow queries.
>
> 221.214.82.178 was the source of an ICMP echo scan on 2009-08-05
> 08:57:33 UTC.
>
> The 221.214.82.0/24 prefix includes a fair number of
> Conficker-compromised hosts.
>
> 221.214.82.0/24 appears to be mostly Windows boxes.
>
> Thanks,
> Rob.
More information about the nsp-security
mailing list