WTF is all this?

Discussion:

WTF is all this?

(too old to reply)

j***@specsol.spam.sux.com

2014-10-07 01:12:52 UTC

Lately I've been getting lots of log entries like:

Oct 6 17:51:51 mail ipmon[127]: [ID 702911 local0.warning] 17:51:51.658744
e1000g0 @0:78 b 188.132.241.144,0 -> my_ip,0 PR tcp len 20 60 -ARSFEC IN
Oct 6 17:52:15 mail ipmon[127]: [ID 702911 local0.warning] 17:52:15.592072
e1000g0 @0:126 b 58.221.223.253,6000 -> my_ip,1433 PR tcp len 20 40 -S IN
Oct 6 17:52:15 mail ipmon[127]: [ID 702911 local0.warning] 17:52:15.612284
e1000g0 @0:126 b 58.221.223.253,6000 -> my_ip,1433 PR tcp len 20 40 -S IN
Oct 6 17:54:43 mail ipmon[127]: [ID 702911 local0.warning] 17:54:43.961218
e1000g0 @0:135 b 81.91.83.77,0 -> my_ip,0 PR tcp len 20 60 -SUPEC IN bad

Obviously a whole bunch of people are attempting to exploit something, but
what?

--
Jim Pennino

Bit Twister

2014-10-07 04:35:45 UTC

Permalink

Post by j***@specsol.spam.sux.com
Oct 6 17:51:51 mail ipmon[127]: [ID 702911 local0.warning] 17:51:51.658744
Oct 6 17:52:15 mail ipmon[127]: [ID 702911 local0.warning] 17:52:15.592072
Oct 6 17:52:15 mail ipmon[127]: [ID 702911 local0.warning] 17:52:15.612284
Oct 6 17:54:43 mail ipmon[127]: [ID 702911 local0.warning] 17:54:43.961218
Obviously a whole bunch of people are attempting to exploit something, but
what?

Assuming target port 1433, we can guess a new Micro$not feature,
https://secure.dshield.org/port.html?port=1433

j***@specsol.spam.sux.com

2014-10-07 05:24:55 UTC

Permalink

Post by Bit Twister

Assuming target port 1433, we can guess a new Micro$not feature,
https://secure.dshield.org/port.html?port=1433

Actually the ports are all over the map but the most numerous one seems to
be port 25 with a lot to 53, 445 and 950 by quick inspection.

I think I need a script to list and count the ports.

--
Jim Pennino