Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Some Logs and/or packets please? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some Logs and/or packets please?

Hi,   if you have some logs from the following subnets to your infrastructure and you are able to share, could you?

  • 61.174.51.0/24 (although I'll take /16)
  • 218.2.0.0/24
  • 122.225.0.0/16
  • 112.101.64.0/24
  • 103.41.124.0/24
  • 61.240.144.0/24

If you can't share logs or packets,  maybe you could send me a source IP and Destination Port.  (just use the contact form or send them direct to markh.isc (at) gmail.com  )

The above are all active on SSH and DNS, just trying to see if there is anything else and if so what and in which part of the world.  

Regards

Mark 

NOTE:  Thanks for all the info so far, very much appreciated,  keep it coming.  If sending a file please email direct to markh.isc (at) gmail.com as the contact form file facility is having a challenge.  It is being looked at, but in the mean time please use the email address.  - RESOLVED

Update:  Firstly thank you all for providing information.  The response has been great.  I've spent the last 5 hours sending thank you's and getting the info down :-).  

A first look at the data is already providing some interesting info.  I'll hopefully get the first cut of some info out later today.  If you have devices in the Middle East, Africa, Asia, Europe, South America or Australia I especially interested in those.  Also if you have a packet capture for allowed connections from 61.240.144.64, 65, 66, 67  or IDS/IPS capture of the initial request (allowed or denied) and you can share, great.  

Some of the log shared so far include firewall and router logs, honeypot logs (one especially interesting as it is using P0F to passively finger print the source), but also some really interesting netflow and argus info.  So again thanks to you all. 

Thanks M

Mark

391 Posts
ISC Handler
Sent you an email full of packets, psad and fail2ban logs a few minutes ago.
Anonymous
Seeing ICMP, SSH, DNS, x11, Zeus? (probably, looking for port 9090), NTP, VNC
JeffSoh

31 Posts
I don't have pcaps to send but I'm also seeing a moderate amount of activity on my perimeter from 122.225.0.0/16. Most of the logs are blocked attempts to various IPs on my perimeter to TCP/22.
da1212

69 Posts
Whenever I see posts like this I want to know more about that block of IP addresses. For example 122.225.0.0/16. I know I can go to whatismyipaddress.com and search 122.225.1.1 and 122.225.254.254. More interesting to me are the results of a blacklist check.

whatismyipaddress.com/blacklist-check

If I type in 122.225.1.1 it will report blacklist status from 70+ different sources. Does anyone know how to get information like this for multiple IP addresses? For example.

Type in 122.225.0.0/16

Output
X number of IP address in this block are blacklisted.
mabraFoo

9 Posts
Statistics from Poland

>grep "218.2.0" kippo.log* | wc -l
134807
>grep "122.225" kippo.log* | wc -l
228698
>grep "61.174.51" kippo.log* | wc -l
241599
>grep "112.101.64" kippo.log* | wc -l
39
>grep "103.41.124" kippo.log* | wc -l
2985995
>grep "61.240.144" kippo.log* | wc -l
0
>ls -l kippo.log* | wc -l
691
>ls -lt | tail -1 | cut -d" " -f 6-
Jun 15 2014 kippo.log.690

Cheers
piotr.chmylkowskigmail.com

2 Posts
61.174.51.199 sweep scan TCP 22
61.174.51.200 sweep scan TCP 22
61.174.51.202 sweep scan TCP 22
61.174.51.207 sweep scan TCP 22
61.174.51.211 sweep scan TCP 22
61.174.51.221 sweep scan TCP 22
61.174.51.223 sweep scan TCP 22
61.174.51.231 sweep scan TCP 22
61.174.51.234 sweep scan TCP 22


103.41.124.60 - sweep scan TCP 22

61.240.144.65 - sweep scan TCP 23, 25, 111, 443, 636, 777, 1158, 3128, 3389, 5900, 8009, 9312, 60010

61.240.144.66 - sweep scan TCP 22, 1433, 3306, 6379, 7001, 8080, 8090, 8360, 9312, 11211, 27017, 50030, 50070, 60030

61.240.144.66 - sweep scan UDP 53

61.240.144.67 - sweep scan TCP 21, 81, 88, 110, 111, 873, 1158, 4899, 5800, 8088, 32764, 50010, 50030, 60010, 60030

61.240.144.67 - sweep scan UDP 23
Anonymous
most of these ranges are currently or in the last week active on my honeypots in europe...
-> https://honey.donotstalk.me you can get a daily db-dump there too....


goodnight.
Anonymous
I know this is an old thread but was wondering if you could share info on what you discovered.
I found that my company is getting scanned every day by address in this block:
61.240.144.0/24
I have packet captures and firewall logs from some of the scans. It looks like a SYN scan, but it attempts to go to the same ports each day. They are scanning every external IP address at multiple sites around the world.
BrianT

1 Posts

Sign Up for Free or Log In to start participating in the conversation!