[nsp-sec] udp (not tcp) port 22 traffic ? (AS 33491)

RuthAnne Bevier ruthanne at caltech.edu
Fri Dec 30 15:02:42 EST 2011 

Yes, they were hitting unallocated nets here too. 

----
RuthAnne Bevier


On Dec 30, 2011, at 10:46 AM, Mike Tancsa <mike at sentex.net> wrote:

> On 12/30/2011 1:09 PM, RuthAnne Bevier wrote:
>> I don't know, but we've been seeing this here too fwiw.
> 
> Some more pcaps at 
> http://www.tancsa.com/udp22.zip
> 
> passwd is 101bytes!
> 
> for those interested.... The latest scanner being the Comcast IP below (time is GMT-5).  Note the funny scan order... I am guessing the odd missed IP might be due to the scanner maxing its outbound bandwidth perhaps ? Also the targets below are currently unallocated in my network so I dont think its an errant application response.
> 
> 
> 13:04:49.791796 IP 67.175.55.174.4562 > 98.159.253.162.22: UDP, length 101
> 13:04:50.256062 IP 67.175.55.174.4594 > 98.159.254.10.22: UDP, length 101
> 13:04:51.017119 IP 67.175.55.174.4646 > 98.159.254.135.22: UDP, length 101
> 13:04:51.092886 IP 67.175.55.174.4650 > 98.159.254.136.22: UDP, length 101
> 13:04:51.172931 IP 67.175.55.174.4656 > 98.159.254.137.22: UDP, length 101
> 13:05:39.484769 IP 67.175.55.174.4149 > 98.159.253.161.22: UDP, length 101
> 13:05:39.517708 IP 67.175.55.174.4152 > 98.159.253.191.22: UDP, length 101
> 13:05:39.556309 IP 67.175.55.174.4155 > 98.159.253.192.22: UDP, length 101
> 13:05:39.609814 IP 67.175.55.174.4159 > 98.159.253.193.22: UDP, length 101
> 13:05:39.648390 IP 67.175.55.174.4162 > 98.159.253.194.22: UDP, length 101
> 13:05:39.684323 IP 67.175.55.174.4165 > 98.159.253.195.22: UDP, length 101
> 13:05:39.724941 IP 67.175.55.174.4168 > 98.159.253.196.22: UDP, length 101
> 13:05:39.768743 IP 67.175.55.174.4171 > 98.159.253.197.22: UDP, length 101
> 13:05:39.801933 IP 67.175.55.174.4174 > 98.159.253.198.22: UDP, length 101
> 13:05:39.842251 IP 67.175.55.174.4177 > 98.159.253.199.22: UDP, length 101
> 13:05:39.902580 IP 67.175.55.174.4180 > 98.159.253.200.22: UDP, length 101
> 13:05:39.936006 IP 67.175.55.174.4183 > 98.159.253.201.22: UDP, length 101
> 13:05:39.977079 IP 67.175.55.174.4186 > 98.159.253.202.22: UDP, length 101
> 13:05:40.012541 IP 67.175.55.174.4189 > 98.159.253.203.22: UDP, length 101
> 13:05:40.051181 IP 67.175.55.174.4192 > 98.159.253.204.22: UDP, length 101
> 13:05:40.092271 IP 67.175.55.174.4195 > 98.159.253.205.22: UDP, length 101
> 13:05:40.127458 IP 67.175.55.174.4198 > 98.159.253.206.22: UDP, length 101
> 13:05:40.166847 IP 67.175.55.174.4201 > 98.159.253.207.22: UDP, length 101
> 13:05:40.204181 IP 67.175.55.174.4204 > 98.159.253.208.22: UDP, length 101
> 13:05:40.514119 IP 67.175.55.174.4224 > 98.159.253.209.22: UDP, length 101
> 13:05:40.526339 IP 67.175.55.174.4227 > 98.159.253.210.22: UDP, length 101
> 13:05:40.560309 IP 67.175.55.174.4230 > 98.159.253.211.22: UDP, length 101
> 13:05:40.599522 IP 67.175.55.174.4233 > 98.159.253.212.22: UDP, length 101
> 13:05:40.636289 IP 67.175.55.174.4236 > 98.159.253.213.22: UDP, length 101
> 13:05:40.715745 IP 67.175.55.174.4242 > 98.159.253.215.22: UDP, length 101
> 13:05:40.760183 IP 67.175.55.174.4245 > 98.159.253.216.22: UDP, length 101
> 13:05:40.792313 IP 67.175.55.174.4248 > 98.159.253.217.22: UDP, length 101
> 13:05:40.837037 IP 67.175.55.174.4251 > 98.159.253.218.22: UDP, length 101
> 13:05:40.869628 IP 67.175.55.174.4254 > 98.159.253.219.22: UDP, length 101
> 13:05:40.905000 IP 67.175.55.174.4256 > 98.159.253.220.22: UDP, length 101
> 13:05:40.944245 IP 67.175.55.174.4259 > 98.159.253.221.22: UDP, length 101
> 13:05:40.981754 IP 67.175.55.174.4262 > 98.159.253.222.22: UDP, length 101
> 13:05:41.205790 IP 67.175.55.174.4279 > 98.159.253.223.22: UDP, length 101
> 13:05:41.484235 IP 67.175.55.174.4300 > 98.159.253.224.22: UDP, length 101
> 13:05:41.523207 IP 67.175.55.174.4303 > 98.159.253.225.22: UDP, length 101
> 13:05:41.560153 IP 67.175.55.174.4306 > 98.159.253.226.22: UDP, length 101
> 13:05:41.604305 IP 67.175.55.174.4309 > 98.159.253.227.22: UDP, length 101
> 13:05:42.216777 IP 67.175.55.174.4355 > 98.159.253.239.22: UDP, length 101
> 13:05:42.287812 IP 67.175.55.174.4358 > 98.159.253.240.22: UDP, length 101
> 13:05:42.298073 IP 67.175.55.174.4361 > 98.159.253.241.22: UDP, length 101
> 13:05:42.333265 IP 67.175.55.174.4364 > 98.159.253.242.22: UDP, length 101
> 13:05:43.116188 IP 67.175.55.174.4423 > 98.159.253.249.22: UDP, length 101
> 13:05:43.152242 IP 67.175.55.174.4427 > 98.159.253.250.22: UDP, length 101
> 13:05:43.214665 IP 67.175.55.174.4431 > 98.159.253.252.22: UDP, length 101
> 13:05:43.498809 IP 67.175.55.174.4452 > 98.159.253.253.22: UDP, length 101
> 13:05:43.524286 IP 67.175.55.174.4455 > 98.159.253.254.22: UDP, length 101
> 13:05:44.755574 IP 67.175.55.174.4551 > 98.159.254.77.22: UDP, length 101
> 13:05:44.787411 IP 67.175.55.174.4554 > 98.159.254.78.22: UDP, length 101
> 13:05:45.288252 IP 67.175.55.174.4591 > 98.159.254.79.22: UDP, length 101
> 13:05:45.329627 IP 67.175.55.174.4594 > 98.159.254.80.22: UDP, length 101
> 13:05:45.360291 IP 67.175.55.174.4597 > 98.159.254.81.22: UDP, length 101
> 13:05:45.440441 IP 67.175.55.174.4602 > 98.159.254.91.22: UDP, length 101
> 13:05:45.516454 IP 67.175.55.174.4608 > 98.159.254.92.22: UDP, length 101
> 13:05:45.594783 IP 67.175.55.174.4614 > 98.159.254.93.22: UDP, length 101
> 13:05:45.634423 IP 67.175.55.174.4617 > 98.159.254.94.22: UDP, length 101
> 13:05:45.672037 IP 67.175.55.174.4620 > 98.159.254.95.22: UDP, length 101
> 
> 
>    ---Mike
> 
> 
> 
> 
>> 
>> On Fri, Dec 30, 2011 at 12:12:17PM -0500, Mike Tancsa wrote:
>>> ----------- nsp-security Confidential --------
>>> 
>>> I am seeing a sudden uptick in udp port 22 scanning from a number of hosts around the net.  Anyone know what they are after ? The only ref I could find was for old PCAnywhere installs, but its hard to imagine there would be many of those.
>>> 
>>> e.g.  Dec 1st, I saw 96 records into part of my AS for UDP port 22
>>> 
>>> On the 20th, 2,194 entries to the same subset, yesterday ~ 1600
>>> 
>>> Lengths are generally under 200 bytes. Here is one snippet. Some of it is to darkspace in my network, but not all. There does seem to be some bit torrent traffic in some of the packets, but not the ones doing the scanning from what I can tell so far.   Some hosts will scan a few /24s worth of IPs, others, just a dozen. 
>>> 
>>> 11:26:26.048909 IP 118.104.73.202.63185 > 67.43.143.210.22: UDP, length 194
>>>        0x0000:  4500 00de 002f 0000 6d11 b9b0 7668 49ca  E..../..m...vhI.
>>>        0x0010:  432b 8fd2 f6d1 0016 00ca 71b5 8f3e fc72  C+........q..>.r
>>>        0x0020:  43f6 00bd d0bb 17f6 11a2 0aee 41c0 b01b  C...........A...
>>>        0x0030:  c3a1 78d8 eef9 6fc0 3a30 efc6 ffd7 fdb8  ..x...o.:0......
>>>        0x0040:  ac59 24bd acb6 7d24 3c58 a084 be49 8ca0  .Y$...}$<X...I..
>>>        0x0050:  2650 96c6 e902 7927 6bf7 3cdf 68b3 ba86  &P....y'k.<.h...
>>>        0x0060:  0bf6 571f 5e77 c827 8185 e00e ed0f 0fc4  ..W.^w.'........
>>>        0x0070:  fa83 8e74 53d7 b03f 9255 df79 c89e 7098  ...tS..?.U.y..p.
>>>        0x0080:  4b8e 64b9 49ed 8c23 5eb1 7cdb 25f4 8be7  K.d.I..#^.|.%...
>>>        0x0090:  d766 0c04 b3c0 6297 30d9 a6c1 51f0 454d  .f....b.0...Q.EM
>>>        0x00a0:  0d31 ee7d cc2a b770 a975 b87e da09 0ed4  .1.}.*.p.u.~....
>>>        0x00b0:  283b 9ccc 1be7 b91c 7c95 a7e7 d5ee 73ae  (;......|.....s.
>>>        0x00c0:  7018 8709 9857 6d70 6e3b 0b94 e917 385c  p....Wmpn;....8\
>>>        0x00d0:  b305 e6d8 d6de 71d3 0471 717e 0ac2       ......q..qq~..
>>> 11:26:26.159270 IP 118.104.73.202.63185 > 67.43.143.211.22: UDP, length 194
>>>        0x0000:  4500 00de 0040 0000 6d11 b99e 7668 49ca  E.... at ..m...vhI.
>>>        0x0010:  432b 8fd3 f6d1 0016 00ca f408 a379 c019  C+...........y..
>>>        0x0020:  25be 75c6 abdb 09bc 7299 975c 6d07 dc78  %.u.....r..\m..x
>>>        0x0030:  dfb3 3928 cf2d a0a3 9f9a bfc8 983d 92d7  ..9(.-.......=..
>>>        0x0040:  3c52 2c89 cf9c e369 26c7 2d6e 358f e23e  <R,....i&.-n5..>
>>>        0x0050:  e769 4c1f 28de c4a8 990a 9657 d82d b370  .iL.(......W.-.p
>>>        0x0060:  cfaf ba54 2a06 5fa6 9943 5124 b050 387a  ...T*._..CQ$.P8z
>>>        0x0070:  c782 6611 7799 47af 4c21 9a61 5234 43d4  ..f.w.G.L!.aR4C.
>>>        0x0080:  55f4 c736 af92 2d86 90b4 d1cc 163f dd66  U..6..-......?.f
>>>        0x0090:  c814 c0b3 2c10 8696 ec76 c6c8 b3f5 7bac  ....,....v....{.
>>>        0x00a0:  91cc 7b32 3c89 8921 55ae d6a9 f1ad 3494  ..{2<..!U.....4.
>>>        0x00b0:  9d59 504e fc03 aeda 2f9f 8fe6 cacc 028d  .YPN..../.......
>>>        0x00c0:  91fd 5fee 8a4d 4342 04ba 003c fb5a a822  .._..MCB...<.Z."
>>>        0x00d0:  7c04 2905 0f86 83aa 7605 4459 9cba       |.).....v.DY..
>>> 11:26:26.542689 IP 118.104.73.202.63185 > 67.43.143.214.22: UDP, length 194
>>>        0x0000:  4500 00de 005d 0000 6d11 b97e 7668 49ca  E....]..m..~vhI.
>>>        0x0010:  432b 8fd6 f6d1 0016 00ca 1e87 2f0e 9694  C+........../...
>>>        0x0020:  df5a 2e62 3be3 5b43 dcb1 bdbd 3f21 3458  .Z.b;.[C....?!4X
>>>        0x0030:  bf5d ace7 9270 0dc5 c8d1 4116 1d2b 60bd  .]...p....A..+`.
>>>        0x0040:  87a9 fa70 dce7 604b 0ecd 5b68 c6ab 51f0  ...p..`K..[h..Q.
>>>        0x0050:  d194 8c13 bdaa b9ba eb18 8188 02bb 144a  ...............J
>>>        0x0060:  55a5 23db 9938 933b ff2e fa34 3df9 c3b8  U.#..8.;...4=...
>>>        0x0070:  d49c db19 1e4f 212d 3d81 c1d1 c0e8 7b67  .....O!-=.....{g
>>>        0x0080:  bfc3 6672 09ca eb0f c066 5b98 94db 6191  ..fr.....f[...a.
>>>        0x0090:  d61e a519 f892 cade 2300 ceb9 3715 c132  ........#...7..2
>>>        0x00a0:  ae3e da4e 3410 41cc 5ebb 51a6 5061 462a  .>.N4.A.^.Q.PaF*
>>>        0x00b0:  a2ce 0d0c 119e a042 9e25 9832 9ce2 c07e  .......B.%.2...~
>>>        0x00c0:  bf0f 10d1 53d7 463a 9365 475a f23e dbc0  ....S.F:.eGZ.>..
>>>        0x00d0:  3131 bc65 dfaf 3ac8 e3ba 9ffc b2da       11.e..:.......
>>> 
>>> 
>>> A few of the big scanners from Dec 29th are 
>>> 
>>> AS      | IP               | AS Name
>>> 5089    | 77.102.89.107    | NTL Virgin Media Limited     (8:26 GMT)
>>> 16276   | 176.31.97.12     | OVH OVH Systems              (8:26 GMT)
>>> 16276   | 91.121.195.217   | OVH OVH Systems              (10:53 GMT)
>>> 17676   | 126.131.124.76   | GIGAINFRA Softbank BB Corp.  (8:21 GMT)
>>> 
>>> 
>>> 
>>>    ---Mike
>>> 
>>> -- 
>>> -------------------
>>> Mike Tancsa, tel +1 519 651 3400
>>> Sentex Communications, mike at sentex.net
>>> Providing Internet services since 1994 www.sentex.net
>>> Cambridge, Ontario Canada   http://www.tancsa.com/
>>> 
>>> 
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>> 
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>> 
> 
> 
> -- 
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the nsp-security mailing list