[nsp-sec] Strong Increase in port 1433/tcp
Yiming Gong
yiming.gong at xo.com
Mon Mar 2 17:19:22 EST 2009
for the past 48 hours, I got 10323 unique IPs scanning port 1434
+---------------------+
| count(distinct sip) |
+---------------------+
| 10323 |
+---------------------+
1 row in set (6.83 sec)
and of them, only 64 of these unique IPs were using src port 6000, here
is the top 10 src ports ordered by the total number of distinct sip.
+-------+---------------------+
| sport | count(distinct sip) |
+-------+---------------------+
| 6000 | 64 |
| 4103 | 14 |
| 3786 | 13 |
| 4421 | 13 |
| 3517 | 12 |
| 3848 | 12 |
| 4784 | 12 |
| 3541 | 11 |
| 3588 | 11 |
| 3604 | 11 |
+-------+---------------------+
10 rows in set (7.70 sec)
Regards!
Yiming
Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> That should be sql not swl:)
> And I think dasher is the constant since that has been around a LONG time.
> Can someone that saw this in their darknet validate that the increase is caused by the non-6000-1433 traffic?
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Smith, Donald
>> Sent: Monday, March 02, 2009 1:18 PM
>> To: 'Klaus Moeller'; 'nsp-security at puck.nether.net'
>> Subject: Re: [nsp-sec] Strong Increase in port 1433/tcp
>>
>> ----------- nsp-security Confidential --------
>>
>> Is ~1/2 of it all coming from or going to tcp port 6000?
>>
>>
>> more /tmp/1433.03-02.ips | awk '{ if(($5==6000) || ($8==6000)
>> )print $8}' |wc -l
>> 458159
>> wc -l /tmp/1433.03-02.ips
>> 845859
>>
>> Count source port:
>> Sourced from 6000
>> 442043 6000
>> 19026 80
>> 1784 443
>>
>> Destined to 6000
>> 16116 6000
>> 12539 80
>> 1874 443
>> 624 3759
>>
>> Mostly syn scanning.
>>
>> This shows 324 non syn packets sourced from 6000 destined to 1433.
>>
>> /tmp/1433.03-02.ips | awk '{ if(($5==6000) && ($10!=2) )print
>> $8}' | wc -l
>> 324
>>
>> So what are those? They are all resets.
>> w32.dasher used 6000 as a source port and attempted to
>> exploit an microsoft swl server vulnerability.
>>
>> http://vil.mcafeesecurity.com/vil/content/v_137567.htm
>>
>> Note that your two pictures show a huge increase in source
>> ips not destination ips.
>> The sans shows targets stayed about the same.
>>
>> So is this an outbreak of dasher or is dasher the old noise
>> and this is something new?
>>
>>
>> (coffee != sleep) & (!coffee == sleep)
>> Donald.Smith at qwest.com gcia
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>>> Klaus Moeller
>>> Sent: Monday, March 02, 2009 9:42 AM
>>> To: nsp-security at puck.nether.net
>>> Subject: [nsp-sec] Strong Increase in port 1433/tcp
>>>
>>> ----------- nsp-security Confidential --------
>>>
>>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list