[nsp-sec] Strong Increase in port 1433/tcp
Yiming Gong
yiming.gong at xo.com
Tue Mar 3 10:24:12 EST 2009
Smith, Donald wrote:
> 77.87.97.8 is my top hitter.
I have not seen this IP showing up yet, but the scan activity is dying
down on our network. From 2009-03-02 4pm, the number got significant drop.
time uniq-src-ip
2009-03-03 09 2
2009-03-03 08 4
2009-03-03 07 7
2009-03-03 06 5
2009-03-03 05 6
2009-03-03 04 5
2009-03-03 03 6
2009-03-03 02 7
2009-03-03 01 6
2009-03-03 00 7
2009-03-02 23 4
2009-03-02 22 10
2009-03-02 21 10
2009-03-02 20 7
2009-03-02 19 15
2009-03-02 18 10
2009-03-02 17 13
2009-03-02 16 18
2009-03-02 15 169
2009-03-02 14 257
2009-03-02 13 305
2009-03-02 12 411
2009-03-02 11 393
2009-03-02 10 453
2009-03-02 09 452
2009-03-02 08 423
2009-03-02 07 446
2009-03-02 06 442
2009-03-02 05 466
2009-03-02 04 452
2009-03-02 03 418
2009-03-02 02 476
2009-03-02 01 409
2009-03-02 00 401
2009-03-01 23 403
2009-03-01 22 406
2009-03-01 21 382
2009-03-01 20 385
2009-03-01 19 345
2009-03-01 18 354
2009-03-01 17 352
2009-03-01 16 380
2009-03-01 15 413
2009-03-01 14 447
2009-03-01 13 306
2009-03-01 12 201
2009-03-01 11 56
2009-03-01 10 7
2009-03-01 09 7
2009-03-01 08 4
2009-03-01 07 11
2009-03-01 06 7
2009-03-01 05 4
2009-03-01 04 6
2009-03-01 03 4
2009-03-01 02 4
2009-03-01 01 8
2009-03-01 00 7
2009-02-28 18 1
2009-02-28 17 7
2009-02-28 16 7
2009-02-28 15 6
2009-02-28 14 7
2009-02-28 13 5
2009-02-28 12 6
2009-02-28 11 5
2009-02-28 10 7
2009-02-28 09 6
Yiming
> I look at just his netflow and watched him hit 129.219.x.y where x and y appear to be pseudo-random not sequential scans.
> Syns are all 48 byte. The ack's comming from 77.87.97.8 are in the 200-228 bytes (including ethernet header). I suspect the is an exploit given the fairly fixed size.
>
>
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: Yiming Gong [mailto:yiming.gong at xo.com]
>> Sent: Monday, March 02, 2009 3:19 PM
>> To: Smith, Donald
>> Cc: 'nsp-security at puck.nether.net'
>> Subject: Re: [nsp-sec] Strong Increase in port 1433/tcp
>>
>> for the past 48 hours, I got 10323 unique IPs scanning port 1434
>> +---------------------+
>> | count(distinct sip) |
>> +---------------------+
>> | 10323 |
>> +---------------------+
>> 1 row in set (6.83 sec)
>>
>> and of them, only 64 of these unique IPs were using src port
>> 6000, here
>> is the top 10 src ports ordered by the total number of distinct sip.
>>
>> +-------+---------------------+
>> | sport | count(distinct sip) |
>> +-------+---------------------+
>> | 6000 | 64 |
>> | 4103 | 14 |
>> | 3786 | 13 |
>> | 4421 | 13 |
>> | 3517 | 12 |
>> | 3848 | 12 |
>> | 4784 | 12 |
>> | 3541 | 11 |
>> | 3588 | 11 |
>> | 3604 | 11 |
>> +-------+---------------------+
>> 10 rows in set (7.70 sec)
>>
>> Regards!
>>
>> Yiming
>>
>> Smith, Donald wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> That should be sql not swl:)
>>> And I think dasher is the constant since that has been
>> around a LONG time.
>>> Can someone that saw this in their darknet validate that
>> the increase is caused by the non-6000-1433 traffic?
>>>
>>> (coffee != sleep) & (!coffee == sleep)
>>> Donald.Smith at qwest.com gcia
>>>
>>>> -----Original Message-----
>>>> From: nsp-security-bounces at puck.nether.net
>>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>>>> Smith, Donald
>>>> Sent: Monday, March 02, 2009 1:18 PM
>>>> To: 'Klaus Moeller'; 'nsp-security at puck.nether.net'
>>>> Subject: Re: [nsp-sec] Strong Increase in port 1433/tcp
>>>>
>>>> ----------- nsp-security Confidential --------
>>>>
>>>> Is ~1/2 of it all coming from or going to tcp port 6000?
>>>>
>>>>
>>>> more /tmp/1433.03-02.ips | awk '{ if(($5==6000) || ($8==6000)
>>>> )print $8}' |wc -l
>>>> 458159
>>>> wc -l /tmp/1433.03-02.ips
>>>> 845859
>>>>
>>>> Count source port:
>>>> Sourced from 6000
>>>> 442043 6000
>>>> 19026 80
>>>> 1784 443
>>>>
>>>> Destined to 6000
>>>> 16116 6000
>>>> 12539 80
>>>> 1874 443
>>>> 624 3759
>>>>
>>>> Mostly syn scanning.
>>>>
>>>> This shows 324 non syn packets sourced from 6000 destined to 1433.
>>>>
>>>> /tmp/1433.03-02.ips | awk '{ if(($5==6000) && ($10!=2) )print
>>>> $8}' | wc -l
>>>> 324
>>>>
>>>> So what are those? They are all resets.
>>>> w32.dasher used 6000 as a source port and attempted to
>>>> exploit an microsoft swl server vulnerability.
>>>>
>>>> http://vil.mcafeesecurity.com/vil/content/v_137567.htm
>>>>
>>>> Note that your two pictures show a huge increase in source
>>>> ips not destination ips.
>>>> The sans shows targets stayed about the same.
>>>>
>>>> So is this an outbreak of dasher or is dasher the old noise
>>>> and this is something new?
>>>>
>>>>
>>>> (coffee != sleep) & (!coffee == sleep)
>>>> Donald.Smith at qwest.com gcia
>>>>
>>>>> -----Original Message-----
>>>>> From: nsp-security-bounces at puck.nether.net
>>>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>>>>> Klaus Moeller
>>>>> Sent: Monday, March 02, 2009 9:42 AM
>>>>> To: nsp-security at puck.nether.net
>>>>> Subject: [nsp-sec] Strong Increase in port 1433/tcp
>>>>>
>>>>> ----------- nsp-security Confidential --------
>>>>>
>>>>>
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>
>>>> Please do not Forward, CC, or BCC this E-mail outside of the
>>>> nsp-security
>>>> community. Confidentiality is essential for effective
>>>> Internet security counter-measures.
>>>> _______________________________________________
>>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of
>> the nsp-security
>>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>>> _______________________________________________
>>>
>>
More information about the nsp-security
mailing list