Scan Pattern

Printable View

May 31st, 2006, 06:54 PM
morganlefay

Scan Pattern

the last few days I have see an increase in my router logs.....

And a definate scan pattern.....

looks like the IP addresses are all from the ISPs IP block

All scans are

139
445
135
135
445
135
445
445
445
445
445

am getting about 6 an hour....

Anyone else seeing this activity....

know what it is???

Just curious.....looks like more then the regular noise

MLF
May 31st, 2006, 07:17 PM
HTRegz

Hey Hey,

It's most likely any one of a dozen worms that propagate via NetBIOS over TCP... mind you it's possible that it's something new (related to last months patches maybe).... but yeah it's pretty standard traffic to see hammering the front door.

Peace,
HT
May 31st, 2006, 07:57 PM
morganlefay

Well ...it is new...cause I do look at the logs regularly...

each IP scans in the same manner all TCP, and all in that same order

I figured it was just noise....

This pattern started around the 20th of May....and has definately ramped up over the last few days..........guess not everyones patched\protected :rolleyes:

Thanks for the info HT.....

MLF
May 31st, 2006, 07:57 PM
ByTeWrangler

Greeting's

Nothing new here the same old 1026 and 1027 with some 139 and 1080 here and there. No patterns here. Also Dshield says the same. I think i agree with HTRegz.

When are people going to start patching up their system and put an antivirus and update it too... I know I am hoping for too much. :rolleyes:
June 1st, 2006, 03:06 AM
farmer6re9

That kinda stuff has been around for a long time. If ya'll start answering some of those probes with samba or netcat you'll find that the files these zombies try to command your machine to ftp change from time to time. Eraseme_(some-5-digit-number).exe has been in vogue in my subnet since last June or July. Play with them for awhile and they'll start hitting a few other ports as well like 4899, 5000 and 80 too! The ones that hit http will either send a GET / with a GSS-API Authorization Negotiate string of QUFBQUFBQUFB... usually about 3k longer the tvb_reported length remaining. The other http hits associated with the NetBIOS crud use the OPTIONS / method.

It is not something for the feint of heart to try. But it does get interesting when you antagonize the botnets enough that the real goons behind it all come knocking at your door with the real exotic stuff. And as for the Messenger spam, I see that to 1025-1033 like clockwork. Most of the UDP checksums are totally incorrect meaning it's all spoofed and there ain't a darn thing you can do about it. Well, I suppose you could visit the URL's in the messages and grab the "FixMyRegOrWhateverNameOnAGivenDay" whoopla a bazillion times to boost some spammers commissions. But be careful, there are some really big cash cows built into all that source-spoofed-spam by deceptive-dirtbag-design.

FWIW-The newest I've seen lately probes 1080, 1088, 80, 81 and 443 x2.
June 1st, 2006, 08:26 AM
nihil

Hi Morgana~

I am getting those, as well as the 1026 and 1027, and they seem to be from my ISP address block.

The traffic seems to come and go, presumably depending on the number of infected machines in circulation?