http://isc.sans.org/port.html?port=7859 ---------- Forwarded message ---------- From: Lisa Kachold Date: Mon, May 4, 2009 at 5:56 PM Subject: Unauthorized Rogue Access Aggressive Distributed Scanning To: internet.abuse@sjrb.ca, abuse@netatonce.se, ripe@eircom.net Distributed coordinated denial of service scanning access (from Canada, Ireland and Sweden IPs [verified in real time via adjacent header packet analysis as not spoofed]) to honeypot.obnosis.com port 7859 (times are MST Arizona): Cisco logs: May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 --> 192.168.1.254:7859 May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 --> 192.168.1.254:7859 May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 --> 192.168.1.254:7859 May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 --> 192.168.1.254:7859 May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 --> 192.168.1.254:7859 May 4 15:45:35 - [Access Log] TCP Packet - 85.195.35.76:3460 --> 192.168.1.254:7859 May 4 15:45:38 - [Access Log] TCP Packet - 85.195.35.76:3460 --> 192.168.1.254:7859 May 4 15:45:44 - [Access Log] TCP Packet - 85.195.35.76:3460 --> 192.168.1.254:7859 May 4 15:46:31 - [Access Log] TCP Packet - 85.195.35.76:3491 --> 192.168.1.254:7859 May 4 15:46:34 - [Access Log] TCP Packet - 85.195.35.76:3491 --> 192.168.1.254:7859 May 4 15:46:40 - [Access Log] TCP Packet - 85.195.35.76:3491 --> 192.168.1.254:7859 May 4 15:47:06 - [Access Log] TCP Packet - 86.46.102.219:59237 --> 192.168.1.254:7859 May 4 15:47:09 - [Access Log] TCP Packet - 86.46.102.219:59237 --> 192.168.1.254:7859 May 4 15:47:15 - [Access Log] TCP Packet - 86.46.102.219:59237 --> 192.168.1.254:7859 May 4 15:47:35 - [Access Log] TCP Packet - 85.195.35.76:3527 --> 192.168.1.254:7859 May 4 15:47:38 - [Access Log] TCP Packet - 85.195.35.76:3527 --> 192.168.1.254:7859 May 4 15:47:44 - [Access Log] TCP Packet - 85.195.35.76:3527 --> 192.168.1.254:7859 May 4 15:48:04 - [Access Log] TCP Packet - 96.54.67.106:60954 --> 192.168.1.254:7859 May 4 15:48:44 - [Access Log] TCP Packet - 96.54.67.106:61546 --> 192.168.1.254:7859 May 4 15:48:47 - [Access Log] TCP Packet - 96.54.67.106:61546 --> 192.168.1.254:7859 May 4 15:48:53 - [Access Log] TCP Packet - 96.54.67.106:61546 --> 192.168.1.254:7859 May 4 15:49:20 - [Access Log] TCP Packet - 85.195.35.76:3572 --> 192.168.1.254:7859 May 4 15:50:42 - [Access Log] TCP Packet - 86.46.102.219:58547 --> 192.168.1.254:7859 May 4 15:50:45 - [Access Log] TCP Packet - 86.46.102.219:58547 --> 192.168.1.254:7859 WARNING: This is a roo honeywall honeypot on a private network. When we obtain additional information and forensics related to encroachments originating from networks within your liability, they will be presented. The IP ADDRESSES have been firewalled from other systems outside of the scope of this study. It is strongly suggested that you alert all personnel to investigate all access during these events; perform low level systems examination for binary replacement, encroachment, obfuscation and encrypted files, or optimally rebuild. -- www.obnosis.com (503)754-4452 http://en.wikipedia.org/wiki/User:LisaKachold