[nsp-sec] Report of successful WINS (ms09-039) compromise

[Matthew.Swaar at us-cert.gov]

Heyo, NSP-SEC!

I can confirm seeing identical scans from 221.214.82.183 on my sensors.

I'm still poking around, but on 01 Aug 2009, I also see 189.20.210.195
scanning for TCP-42 using a static source port of 6000 & 40-byte SYN
packets.  (The data pull I'm running on this is still assembling, but
189.20.210.195 appears to have hit at least a /16's worth of
destinations.)
 


 
Very Respectfully,

US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
Sent: Monday, August 17, 2009 5:11 PM
To: Gabriel Iovino
Cc: NSP nsp-security
Subject: Re: [nsp-sec] Report of successful WINS (ms09-039) compromise

----------- nsp-security Confidential --------

Hey, Gabe.

Thanks for the heads-up!

> 221.214.82.183

We see 221.214.82.183 begin scans for TCP 42 on or about 2009-08-15
09:57:48 UTC.  Those scans continue.

Expanding the query to 221.214.82.0/24, we also see TCP 42 scans from:

   221.214.82.186 on 2009-08-12 17:07:29 UTC
   221.214.82.185 on 2009-08-16 07:09:40 UTC
   221.214.82.186 on 2009-08-17 14:11:58 UTC

The source port seems to be a consistent TCP 6000.  That might help
those of you making flow queries.

221.214.82.178 was the source of an ICMP echo scan on 2009-08-05
08:57:33 UTC.

The 221.214.82.0/24 prefix includes a fair number of
Conficker-compromised hosts.

221.214.82.0/24 appears to be mostly Windows boxes.

Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________