Fwd: Unauthorized Rogue Access Aggressive Distributed Scanning

Lisa Kachold lisakachold at obnosis.com
Mon May 4 18:19:59 MST 2009


http://isc.sans.org/port.html?port=7859

---------- Forwarded message ----------
From: Lisa Kachold <lisakachold at obnosis.com>
Date: Mon, May 4, 2009 at 5:56 PM
Subject: Unauthorized Rogue Access Aggressive Distributed Scanning
To: internet.abuse at sjrb.ca, abuse at netatonce.se, ripe at eircom.net

Distributed coordinated denial of service scanning access (from Canada,
Ireland and Sweden IPs [verified in real time via adjacent header packet
analysis as not spoofed]) to honeypot.obnosis.com port 7859 (times are MST
Arizona):

Cisco logs:

May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 96.54.67.106:61252 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 -->
192.168.1.254:7859
May 4 15:45:11 - [Access Log] TCP Packet - 85.195.35.76:3432 -->
192.168.1.254:7859
May 4 15:45:35 - [Access Log] TCP Packet - 85.195.35.76:3460 -->
192.168.1.254:7859
May 4 15:45:38 - [Access Log] TCP Packet - 85.195.35.76:3460 -->
192.168.1.254:7859
May 4 15:45:44 - [Access Log] TCP Packet - 85.195.35.76:3460 -->
192.168.1.254:7859
May 4 15:46:31 - [Access Log] TCP Packet - 85.195.35.76:3491 -->
192.168.1.254:7859
May 4 15:46:34 - [Access Log] TCP Packet - 85.195.35.76:3491 -->
192.168.1.254:7859
May 4 15:46:40 - [Access Log] TCP Packet - 85.195.35.76:3491 -->
192.168.1.254:7859
May 4 15:47:06 - [Access Log] TCP Packet - 86.46.102.219:59237 -->
192.168.1.254:7859
May 4 15:47:09 - [Access Log] TCP Packet - 86.46.102.219:59237 -->
192.168.1.254:7859
May 4 15:47:15 - [Access Log] TCP Packet - 86.46.102.219:59237 -->
192.168.1.254:7859
May 4 15:47:35 - [Access Log] TCP Packet - 85.195.35.76:3527 -->
192.168.1.254:7859
May 4 15:47:38 - [Access Log] TCP Packet - 85.195.35.76:3527 -->
192.168.1.254:7859
May 4 15:47:44 - [Access Log] TCP Packet - 85.195.35.76:3527 -->
192.168.1.254:7859
May 4 15:48:04 - [Access Log] TCP Packet - 96.54.67.106:60954 -->
192.168.1.254:7859
May 4 15:48:44 - [Access Log] TCP Packet - 96.54.67.106:61546 -->
192.168.1.254:7859
May 4 15:48:47 - [Access Log] TCP Packet - 96.54.67.106:61546 -->
192.168.1.254:7859
May 4 15:48:53 - [Access Log] TCP Packet - 96.54.67.106:61546 -->
192.168.1.254:7859
May 4 15:49:20 - [Access Log] TCP Packet - 85.195.35.76:3572 -->
192.168.1.254:7859
May 4 15:50:42 - [Access Log] TCP Packet - 86.46.102.219:58547 -->
192.168.1.254:7859
May 4 15:50:45 - [Access Log] TCP Packet - 86.46.102.219:58547 -->
192.168.1.254:7859

WARNING: This is a roo honeywall honeypot on a private network.

When we obtain additional information and forensics related to encroachments
originating from networks within your liability, they will be presented.

The IP ADDRESSES have been firewalled from other systems outside of the
scope of this study.  It is strongly suggested that you alert all personnel
to investigate all access during these events; perform low level systems
examination for binary replacement, encroachment, obfuscation and encrypted
files, or optimally rebuild.
-- 
www.obnosis.com (503)754-4452
http://en.wikipedia.org/wiki/User:LisaKachold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090504/d6123c57/attachment.htm 


More information about the PLUG-discuss mailing list