Scan Pattern
Results 1 to 6 of 6

Thread: Scan Pattern

  1. #1
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    Scan Pattern

    the last few days I have see an increase in my router logs.....

    And a definate scan pattern.....

    looks like the IP addresses are all from the ISPs IP block

    All scans are

    139
    445
    135
    135
    445
    135
    445
    445
    445
    445
    445

    am getting about 6 an hour....

    Anyone else seeing this activity....

    know what it is???

    Just curious.....looks like more then the regular noise

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    It's most likely any one of a dozen worms that propagate via NetBIOS over TCP... mind you it's possible that it's something new (related to last months patches maybe).... but yeah it's pretty standard traffic to see hammering the front door.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well ...it is new...cause I do look at the logs regularly...

    each IP scans in the same manner all TCP, and all in that same order

    I figured it was just noise....

    This pattern started around the 20th of May....and has definately ramped up over the last few days..........guess not everyones patched\protected

    Thanks for the info HT.....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Nothing new here the same old 1026 and 1027 with some 139 and 1080 here and there. No patterns here. Also Dshield says the same. I think i agree with HTRegz.


    When are people going to start patching up their system and put an antivirus and update it too... I know I am hoping for too much.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #5
    Junior Member
    Join Date
    Apr 2006
    Posts
    10
    That kinda stuff has been around for a long time. If ya'll start answering some of those probes with samba or netcat you'll find that the files these zombies try to command your machine to ftp change from time to time. Eraseme_(some-5-digit-number).exe has been in vogue in my subnet since last June or July. Play with them for awhile and they'll start hitting a few other ports as well like 4899, 5000 and 80 too! The ones that hit http will either send a GET / with a GSS-API Authorization Negotiate string of QUFBQUFBQUFB... usually about 3k longer the tvb_reported length remaining. The other http hits associated with the NetBIOS crud use the OPTIONS / method.

    It is not something for the feint of heart to try. But it does get interesting when you antagonize the botnets enough that the real goons behind it all come knocking at your door with the real exotic stuff. And as for the Messenger spam, I see that to 1025-1033 like clockwork. Most of the UDP checksums are totally incorrect meaning it's all spoofed and there ain't a darn thing you can do about it. Well, I suppose you could visit the URL's in the messages and grab the "FixMyRegOrWhateverNameOnAGivenDay" whoopla a bazillion times to boost some spammers commissions. But be careful, there are some really big cash cows built into all that source-spoofed-spam by deceptive-dirtbag-design.

    FWIW-The newest I've seen lately probes 1080, 1088, 80, 81 and 443 x2.
    Eating Crow Is Better With MyCrowSauce

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Morgana~

    I am getting those, as well as the 1026 and 1027, and they seem to be from my ISP address block.

    The traffic seems to come and go, presumably depending on the number of infected machines in circulation?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •