Some time ago, I noticed constant incoming traffic on one of my boxes . Firestarter was running on it and I thought I'd give the "events log" a look . There were like 1000+ blocked connections many of which looked like scans .. and many were .. The most scanned port was ms-sql ( not surprised at all ) . So I whipped up a quick scriptlet to get the top 20 IP's and "whois" them to know where they were coming from ..
The results :
---------------- 124 scans from 91.198.174.234 ------------------------
descr: Wikimedia's Amsterdam cluster (knams)
descr: Wikimedia Foundation, Inc.
country: NL
address: Wikimedia Foundation, Inc.
address: USA
address: US
address: San Francisco, CA 94105 USA
address: San Francisco
address: CA 94105 San Francisco
address: CA 94105
address: 3rd Floor
address: 3rd floor
address: 149 New Montgomery Street
address: 149 New Montgomery, 3rd Floor
---------------------------------------------------------------
---------------- 109 scans from 91.198.174.233 ------------------------
descr: Wikimedia's Amsterdam cluster (knams)
descr: Wikimedia Foundation, Inc.
country: NL
address: Wikimedia Foundation, Inc.
address: USA
address: US
address: San Francisco, CA 94105 USA
address: San Francisco
address: CA 94105 San Francisco
address: CA 94105
address: 3rd Floor
address: 3rd floor
address: 149 New Montgomery Street
address: 149 New Montgomery, 3rd Floor
------------------------------------- 37 scans from 81.0.237.38 ------------------------
descr: Gransy s.r.o.
descr: Casablanca INT
country: CZ
address: Vinohradska 184, Prague 3 - 130 52
address: Czech republic
address: Casablanca INT
---------------------------------------------------------------
---------------- 18 scans from 58.221.60.159 ------------------------
descr: China Telecom
descr: CHINANET jiangsu province network
descr: Beijing 100088
descr: A12,Xin-Jie-Kou-Wai Street
country: CN
address: No.31 ,jingrong street,beijing
address: 260 Zhongyang Road,Nanjing 210037
address: 100032
------------------------------------------
---------------- 10 scans from 42.96.185.184 ------------------------
descr: Chaoyang District,Beijing
descr: Alibaba (Beijing) Technology Co., Ltd.
descr: 9F,Tower A Winterless center,NO.1 West Da Wang Lu,
country: CN
Comment: using this IP address range and is not able to investigate
Comment: This IP address range is not registered in the ARIN database.
Comment: spam or abuse reports relating to these addresses. For more
address: No.99 HuaXing Rd. Hangzhou,310099
---------------------------------------------------------------
---------------- 8 scans from 87.93.45.81 ------------------------
descr: DNA Oy
descr: DNA Finland
country: FI
address: PL 41
address: Finland
address: DNA Oy
address: 01741 Vantaa
---------------------------------------------------------------
Sciptlet :
------------------------------------------------------------------------
#!/bin/bash
# scriptlet to know where the scans are coming from
echo "Enter the firestarter events file"
read $events
tmp="event_tmp"
tmp_who="tmp_who"
egrep -o -h "Source:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" $events \
| awk -F ":" '{ print $2 }' | sort | uniq -c | sort -nr | head -10 > $tmp
while read line
do
count=`echo $line | awk '{ print $1 }'`
ip=`echo $line | awk '{ print $2 }'`
whois $ip > $tmp_who
echo "---------------- $count scans from $ip ------------------------"
cat $tmp_who | grep 'country\|address\|descr' | sort -r | uniq
echo "---------------------------------------------------------------"
sleep 1
done < $tmp
rm $tmp $tmp_who
-------------------------------------------------------------------------
Conclusions :
- Miscro$oft products are most searched by worms n scanners
- Firestarter is a hack . n ot for professional use
- A lot of folks/worms from china scan everyone else all the freakin time!!
:)
No comments:
Post a Comment