http://isc.sans.org/port.html?port=7859

---------- Forwarded message ----------
From: Lisa Kachold <lisakachold@obnosis.com>
Date: Mon, May 4, 2009 at 5:56 PM
Subject: Unauthorized Rogue Access Aggressive Distributed Scanning
To: internet.abuse@sjrb.ca, abuse@netatonce.se, ripe@eircom.net

Distributed coordinated denial of service scanning access (from Canada, Ireland and Sweden IPs [verified in real time via adjacent header packet analysis as not spoofed]) to honeypot.obnosis.com port 7859 (times are MST Arizona):

Cisco logs:

May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 --> 192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 --> 192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 --> 192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 --> 192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 --> 192.168.1.254:7859
May 4 15:45:35 - [Access Log] TCP Packet - 85.195.35.76:3460 --> 192.168.1.254:7859
May 4 15:45:38 - [Access Log] TCP Packet - 85.195.35.76:3460 --> 192.168.1.254:7859
May 4 15:45:44 - [Access Log] TCP Packet - 85.195.35.76:3460 --> 192.168.1.254:7859
May 4 15:46:31 - [Access Log] TCP Packet - 85.195.35.76:3491 --> 192.168.1.254:7859
May 4 15:46:34 - [Access Log] TCP Packet - 85.195.35.76:3491 --> 192.168.1.254:7859
May 4 15:46:40 - [Access Log] TCP Packet - 85.195.35.76:3491 --> 192.168.1.254:7859
May 4 15:47:06 - [Access Log] TCP Packet - 86.46.102.219:59237 --> 192.168.1.254:7859
May 4 15:47:09 - [Access Log] TCP Packet - 86.46.102.219:59237 --> 192.168.1.254:7859
May 4 15:47:15 - [Access Log] TCP Packet - 86.46.102.219:59237 --> 192.168.1.254:7859
May 4 15:47:35 - [Access Log] TCP Packet - 85.195.35.76:3527 --> 192.168.1.254:7859
May 4 15:47:38 - [Access Log] TCP Packet - 85.195.35.76:3527 --> 192.168.1.254:7859
May 4 15:47:44 - [Access Log] TCP Packet - 85.195.35.76:3527 --> 192.168.1.254:7859
May 4 15:48:04 - [Access Log] TCP Packet - 96.54.67.106:60954 --> 192.168.1.254:7859
May 4 15:48:44 - [Access Log] TCP Packet - 96.54.67.106:61546 --> 192.168.1.254:7859
May 4 15:48:47 - [Access Log] TCP Packet - 96.54.67.106:61546 --> 192.168.1.254:7859
May 4 15:48:53 - [Access Log] TCP Packet - 96.54.67.106:61546 --> 192.168.1.254:7859
May 4 15:49:20 - [Access Log] TCP Packet - 85.195.35.76:3572 --> 192.168.1.254:7859
May 4 15:50:42 - [Access Log] TCP Packet - 86.46.102.219:58547 --> 192.168.1.254:7859
May 4 15:50:45 - [Access Log] TCP Packet - 86.46.102.219:58547 --> 192.168.1.254:7859

WARNING: This is a roo honeywall honeypot on a private network.

When we obtain additional information and forensics related to encroachments originating from networks within your liability, they will be presented.

The IP ADDRESSES have been firewalled from other systems outside of the scope of this study.  It is strongly suggested that you alert all personnel to investigate all access during these events; perform low level systems examination for binary replacement, encroachment, obfuscation and encrypted files, or optimally rebuild.
--
www.obnosis.com (503)754-4452
http://en.wikipedia.org/wiki/User:LisaKachold