Fwd: Unauthorized Rogue Access Aggressive Distributed Scanni…

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list, abuse, abuse
Subject: Fwd: Unauthorized Rogue Access Aggressive Distributed Scanning
http://isc.sans.org/port.html?port=7859

---------- Forwarded message ----------
From: Lisa Kachold <>
Date: Mon, May 4, 2009 at 5:56 PM
Subject: Unauthorized Rogue Access Aggressive Distributed Scanning
To: , ,

Distributed coordinated denial of service scanning access (from Canada,
Ireland and Sweden IPs [verified in real time via adjacent header packet
analysis as not spoofed]) to honeypot.obnosis.com port 7859 (times are MST
Arizona):

Cisco logs:

May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 -->
192.168.1.254:7859
May 4 15:45:35 - [Access Log] TCP Packet - 85.195.35.76:3460 -->
192.168.1.254:7859
May 4 15:45:38 - [Access Log] TCP Packet - 85.195.35.76:3460 -->
192.168.1.254:7859
May 4 15:45:44 - [Access Log] TCP Packet - 85.195.35.76:3460 -->
192.168.1.254:7859
May 4 15:46:31 - [Access Log] TCP Packet - 85.195.35.76:3491 -->
192.168.1.254:7859
May 4 15:46:34 - [Access Log] TCP Packet - 85.195.35.76:3491 -->
192.168.1.254:7859
May 4 15:46:40 - [Access Log] TCP Packet - 85.195.35.76:3491 -->
192.168.1.254:7859
May 4 15:47:06 - [Access Log] TCP Packet - 86.46.102.219:59237 -->
192.168.1.254:7859
May 4 15:47:09 - [Access Log] TCP Packet - 86.46.102.219:59237 -->
192.168.1.254:7859
May 4 15:47:15 - [Access Log] TCP Packet - 86.46.102.219:59237 -->
192.168.1.254:7859
May 4 15:47:35 - [Access Log] TCP Packet - 85.195.35.76:3527 -->
192.168.1.254:7859
May 4 15:47:38 - [Access Log] TCP Packet - 85.195.35.76:3527 -->
192.168.1.254:7859
May 4 15:47:44 - [Access Log] TCP Packet - 85.195.35.76:3527 -->
192.168.1.254:7859
May 4 15:48:04 - [Access Log] TCP Packet - 96.54.67.106:60954 -->
192.168.1.254:7859
May 4 15:48:44 - [Access Log] TCP Packet - 96.54.67.106:61546 -->
192.168.1.254:7859
May 4 15:48:47 - [Access Log] TCP Packet - 96.54.67.106:61546 -->
192.168.1.254:7859
May 4 15:48:53 - [Access Log] TCP Packet - 96.54.67.106:61546 -->
192.168.1.254:7859
May 4 15:49:20 - [Access Log] TCP Packet - 85.195.35.76:3572 -->
192.168.1.254:7859
May 4 15:50:42 - [Access Log] TCP Packet - 86.46.102.219:58547 -->
192.168.1.254:7859
May 4 15:50:45 - [Access Log] TCP Packet - 86.46.102.219:58547 -->
192.168.1.254:7859

WARNING: This is a roo honeywall honeypot on a private network.

When we obtain additional information and forensics related to encroachments
originating from networks within your liability, they will be presented.

The IP ADDRESSES have been firewalled from other systems outside of the
scope of this study. It is strongly suggested that you alert all personnel
to investigate all access during these events; perform low level systems
examination for binary replacement, encroachment, obfuscation and encrypted
files, or optimally rebuild.
--
www.obnosis.com (503)754-4452
http://en.wikipedia.org/wiki/User:LisaKachold
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss