[nsp-sec] Report of successful WINS (ms09-039) compromise
Matthew.Swaar at us-cert.gov
Matthew.Swaar at us-cert.gov
Tue Aug 18 17:02:02 EDT 2009
Follow-up to the below:
Just looking at August, there are several Ips visible to me that are
exhibiting identical behavior. They're either working in concert, or
they're coincidently using exactly the same method to scan systems and
aren't overlapping during the same 24h period:
Date| Records| Bytes|
Packets| Scanning IP
2009/08/01T00:00:00| 57296.00| 2291840.00|
57296.00|189.20.210.195
2009/08/04T00:00:00| 2185975.00| 88491200.00|
2212280.00|217.219.193.65
2009/08/05T00:00:00| 2184388.00| 88419040.00|
2210476.00|217.219.193.65
2009/08/06T00:00:00| 246203.00| 24904880.00|
622622.00|78.158.177.17
2009/08/09T00:00:00| 2190722.00| 88649440.00|
2216236.00|58.150.53.2
2009/08/13T00:00:00| 204006.00| 9251640.00|
231291.00|218.189.146.246
2009/08/14T00:00:00| 2102679.00| 85169240.00|
2129231.00|217.219.193.65
2009/08/15T00:00:00| 131520.00| 5260800.00|
131520.00|221.214.82.185
2009/08/17T00:00:00| 324786.00| 12991440.00|
324786.00|218.189.146.246
All records are 40-byte SYN packets from source-port 6000 to dest-port
42.
AS | IP | AS Name
10429 | 189.20.210.195 | Telefonica Empresas SA
12880 | 217.219.193.65 | DCI-AS DCI Autonomous System
43343 | 78.158.177.17 | ARYASAT Arya Sepehr Ettelarasan Tehran
(ICP/ISDP/ISP/VoIP)
3786 | 58.150.53.2 | LGDACOM LG DACOM Corporation
9304 | 218.189.146.246 | HUTCHISON-AS-AP Hutchison Global
Communications
4837 | 221.214.82.185 | CHINA169-BACKBONE CNCGROUP China169
Backbone
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: Swaar, Matthew
Sent: Monday, August 17, 2009 6:27 PM
To: 'Rob Thomas'; Gabriel Iovino
Cc: NSP nsp-security
Subject: RE: [nsp-sec] Report of successful WINS (ms09-039) compromise
Heyo, NSP-SEC!
I can confirm seeing identical scans from 221.214.82.183 on my sensors.
I'm still poking around, but on 01 Aug 2009, I also see 189.20.210.195
scanning for TCP-42 using a static source port of 6000 & 40-byte SYN
packets. (The data pull I'm running on this is still assembling, but
189.20.210.195 appears to have hit at least a /16's worth of
destinations.)
Very Respectfully,
US-CERT Ops Center
703-235-5111
POC: Matt Swaar - Analyst
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Rob Thomas
Sent: Monday, August 17, 2009 5:11 PM
To: Gabriel Iovino
Cc: NSP nsp-security
Subject: Re: [nsp-sec] Report of successful WINS (ms09-039) compromise
----------- nsp-security Confidential --------
Hey, Gabe.
Thanks for the heads-up!
> 221.214.82.183
We see 221.214.82.183 begin scans for TCP 42 on or about 2009-08-15
09:57:48 UTC. Those scans continue.
Expanding the query to 221.214.82.0/24, we also see TCP 42 scans from:
221.214.82.186 on 2009-08-12 17:07:29 UTC
221.214.82.185 on 2009-08-16 07:09:40 UTC
221.214.82.186 on 2009-08-17 14:11:58 UTC
The source port seems to be a consistent TCP 6000. That might help
those of you making flow queries.
221.214.82.178 was the source of an ICMP echo scan on 2009-08-05
08:57:33 UTC.
The 221.214.82.0/24 prefix includes a fair number of
Conficker-compromised hosts.
221.214.82.0/24 appears to be mostly Windows boxes.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
ASSERT(coffee != empty);
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list