PortPeeker Capture of 65506 Scans and email relay attempts
We had a number of open port scans on TCP port 65506 and then our open port must
have attracted the interest of someone who then performed the following proxy
scan where they also attempted to access cgi-bin env checker to see the proxy
would connect anonymously or forward identifying headers.
TCP Connection Request
---- 11/03/2004 00:49:42.505
67.172.223.250 : 3804 TCP Connected ID = 1
---- 11/03/2004 00:49:42.505
Status Code: 0 OK
67.172.223.250 : 3804 TCP Data In Length 66 bytes
MD5 = 7CCD065E4BD68E9E172E17B6C9DE1CFA
---- 11/03/2004 00:49:42.516
0000 47 45 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E 68 GET
»www.h
0010 65 6C 6C 6C 61 62 73 2E 63 6F 6D 2E 75 61 2F 63
elllabs.com.ua/c
0020 67 69 2D 62 69 6E 2F 74 65 78 74 65 6E 76 2E 70 gi-bin/textenv.p
0030 6C 3F 36 35 35 30 36 20 48 54 54 50 2F 31 2E 30
l?65506 HTTP/1.0
0040 0D 0A
..
67.172.223.250 : 3804 TCP Data In Length 274 bytes
MD5 = B02992E2BC31B79CE090CBB4DDD7A1BA
---- 11/03/2004 00:49:42.786
0000 48 6F 73 74 3A 20 77 77 77 2E 68 65 6C 6C 6C 61
Host: www.hellla
0010 62 73 2E 63 6F 6D 2E 75 61 0D 0A 41 63 63 65 70
bs.com.ua..Accep
0020 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D t:
image/gif, im
0030 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69
age/x-xbitmap, i
0040 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65
mage/jpeg, image
0050 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74
/pjpeg, applicat
0060 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C
ion/vnd.ms-excel
0070 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D 73 ,
application/ms
0080 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70
word, */*..Accep
0090 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 0D 0A
t-Language: en..
00A0 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69
User-Agent: Mozi
00B0 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 lla/4.0
(compati
00C0 62 6C 65 3B 20 4D 53 49 45 20 35 2E 35 3B 20 57 ble;
MSIE 5.5; W
00D0 69 6E 64 6F 77 73 20 4E 54 20 34 2E 30 29 0D 0A
indows NT 4.0)..
00E0 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65
Pragma: no-cache
00F0 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E 65 63 74 69
..Proxy-Connecti
0100 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on:
Keep-Alive..
0110 0D 0A
..
67.172.223.250 : 3804 TCP Disconnected ID = 1
---- 11/03/2004 00:49:52.570
Status Code: 45056 [45056] (no description available)
TCP Connection Request
---- 11/03/2004 00:49:52.690
67.172.223.250 : 2515 TCP Connected ID = 1
---- 11/03/2004 00:49:52.690
Status Code: 0 OK
67.172.223.250 : 2515 TCP Data In Length 9 bytes
MD5 = E8302B4B22768A00926F8D936C92D41A
---- 11/03/2004 00:49:52.690
0000 04 01 00 50 D9 10 10 6D 00 ...P...m.
67.172.223.250 : 2515 TCP Disconnected ID = 1
---- 11/03/2004 00:50:02.865
Status Code: 45056 [45056] (no description available)
TCP Connection Request
---- 11/03/2004 00:50:03.015
67.172.223.250 : 1982 TCP Connected ID = 1
---- 11/03/2004 00:50:03.015
Status Code: 0 OK
67.172.223.250 : 1982 TCP Data In Length 3 bytes
MD5 = 19B893B938ACE1DEFE7D090E510F0618
---- 11/03/2004 00:50:03.025
0000 05 01 00 ...
67.172.223.250 : 1982 TCP Disconnected ID = 1
---- 11/03/2004 00:50:13.160
Status Code: 45056 [45056] (no description available)
They must have been satisfied that the proxy was available despite PortPeeker
not returning anything. As then it was plugged into their systems for
sending out massive amounts of spam and we captured literally thousands upon
thousands of connection attempts (about 1.5 per second).
209.51.212.114 : 4856 TCP Data In Length 38 bytes
MD5 = F4C16A6609BED1750C4BA8E8CBF2AF18
---- 11/03/2004 03:16:24.322
0000 43 4F 4E 4E 45 43 54 20 36 34 2E 32 32 34 2E 32
CONNECT 64.224.2
0010 31 39 2E 31 32 32 3A 32 35 20 48 54 54 50 2F 31
19.122:25 HTTP/1
0020 2E 30 0D 0A 0D 0A
.0....
209.126.185.116 : 1365 TCP Data In Length 36 bytes
MD5 = BEBB9209F7F86734C9D0C695671D47FF
---- 11/03/2004 03:16:09.691
0000 43 4F 4E 4E 45 43 54 20 31 39 38 2E 38 30 2E 31
CONNECT 198.80.1
0010 33 31 2E 34 3A 32 35 20 48 54 54 50 2F 31 2E 30
31.4:25 HTTP/1.0
0020 0D 0A 0D 0A
....
209.51.212.130 : 2003 TCP Data In Length 38 bytes
MD5 = EE657F6B2B5CAAF56999215478268AC8
---- 11/03/2004 03:16:54.515
0000 43 4F 4E 4E 45 43 54 20 31 39 35 2E 32 34 35 2E
CONNECT 195.245.
0010 32 33 30 2E 38 33 3A 32 35 20 48 54 54 50 2F 31
230.83:25 HTTP/1
0020 2E 30 0D 0A 0D 0A
.0....
Given PortPeeker was happily 'wasting' these spam attempts we decide to leave it
running for awhile and see just how many attempts we would see.
Link Logger inbound 65506 traffic chart taken March 12 0500
It would almost appear they started with a small test and then loaded up for
bear. NOTE PortPeeker is entirely passive during this and only listens and
does not respond or send out any traffic. At some point we would expect
that they would notice that none of their spam is being relayed through us and
stop. We closed the port on the firewall at 7:00am local time, but
continued to receive traffic for many hours. This would be an example of
how you can get a new IP Address which seems to be already getting a lot of
traffic.
This all this traffic came from a total so far of 45 IP Addresses, however only
20 were used to relay spam to us.
| IP Address |
Hostname |
Port |
Events |
Last Event |
|
216.65.116.155 |
- Not Found
- |
65506 |
5960 |
12/03/2004
1:25:19 PM |
|
216.65.117.94 |
- Not Found
- |
65506 |
5850 |
12/03/2004
1:25:43 PM |
|
216.65.117.7 |
- Not Found
- |
65506 |
5745 |
12/03/2004
1:25:28 PM |
|
69.44.156.234 |
om.monasterio.cr |
65506 |
5726 |
12/03/2004
1:25:39 PM |
|
69.44.157.236 |
mn1.mixman.at |
65506 |
5400 |
12/03/2004
1:42:15 PM |
|
69.44.152.226 |
df1.kilma.se |
65506 |
5061 |
12/03/2004
1:30:32 PM |
|
69.44.157.21 |
ns1.jindira.ch |
65506 |
4834 |
12/03/2004
1:44:03 PM |
|
69.44.154.211 |
dns.exotic.de |
65506 |
4749 |
12/03/2004
1:31:12 PM |
|
69.44.157.26 |
dt2.primorski.se |
65506 |
4494 |
12/03/2004
1:40:58 PM |
|
69.44.155.167 |
ev1.blad.nl |
65506 |
4149 |
12/03/2004
1:37:43 PM |
|
69.44.157.23 |
ws1.laxku.ch |
65506 |
3593 |
12/03/2004
1:26:53 PM |
|
216.65.117.98 |
- Not Found
- |
65506 |
3271 |
12/03/2004
1:26:11 PM |
|
209.126.185.85 |
DEDICATED8 |
65506 |
1451 |
12/03/2004
2:38:09 AM |
|
66.36.240.76 |
sls-ce12p13.dca2.superb.net |
65506 |
1367 |
12/03/2004
2:39:12 AM |
|
209.51.212.114 |
XLHOST |
65506 |
1222 |
12/03/2004
2:15:57 AM |
|
209.126.185.145 |
- Not Found
- |
65506 |
1019 |
12/03/2004
2:15:24 AM |
|
209.126.185.150 |
- Not Found
- |
65506 |
883 |
12/03/2004
12:17:36 AM |
|
209.51.212.130 |
XLDED45454 |
65506 |
845 |
11/03/2004
11:30:50 PM |
|
203.98.177.85 |
IS~D47 |
65506 |
184 |
12/03/2004
2:20:17 AM |
|
209.126.185.116 |
DEDICATED1 |
65506 |
77 |
11/03/2004
4:56:57 AM |
|
203.98.177.84 |
IS~D46 |
65506 |
50 |
11/03/2004
2:32:36 PM |
|
38.112.121.130 |
- Not Found
- |
65506 |
49 |
11/03/2004
11:48:47 PM |
|
67.172.223.250 |
c-67-172-223-250.client.comcast.net |
65506 |
12 |
11/03/2004
2:45:27 AM |
|
65.49.48.218 |
CPE000625768b74-CM013439900620.cpe.net.cable.rogers.com |
65506 |
8 |
11/03/2004
3:01:38 PM |
| 24.1.15.200 |
c-24-1-15-200.client.comcast.net |
65506 |
7 |
11/03/2004
4:35:22 PM |
|
210.245.151.71 |
- Not Found
- |
65506 |
5 |
11/03/2004
11:38:39 AM |
|
210.245.151.72 |
- Not Found
- |
65506 |
4 |
12/03/2004
1:11:56 AM |
|
38.112.121.153 |
- Not Found
- |
65506 |
4 |
11/03/2004
12:55:37 PM |
|
64.222.46.128 |
dpvc-64-222-46-128.prov.east.verizon.net |
65506 |
3 |
11/03/2004
11:09:23 PM |
|
67.85.190.246 |
ool-4355bef6.dyn.optonline.net |
65506 |
3 |
11/03/2004
10:12:08 PM |
|
64.222.46.181 |
dpvc-64-222-46-181.prov.east.verizon.net |
65506 |
3 |
11/03/2004
11:40:07 AM |
|
218.87.218.5 |
GONGLIBIN |
65506 |
1 |
12/03/2004
11:25:00 AM |
|
211.123.235.39 |
p0293-ip01kyoto.kyoto.ocn.ne.jp |
65506 |
1 |
11/03/2004
3:51:00 PM |
|
61.185.11.208 |
HBNETBAR-KLU866 |
65506 |
1 |
11/03/2004
2:48:58 PM |
|
65.94.109.108 |
OWNER-49CRBI6KG |
65506 |
1 |
11/03/2004
2:42:39 PM |
|
24.132.15.43 |
node10f2b.a2000.nl |
65506 |
1 |
11/03/2004
2:33:12 PM |
|
211.195.60.127 |
- Not Found
- |
65506 |
1 |
11/03/2004
2:11:40 PM |
|
64.160.23.42 |
adsl-64-160-23-42.dsl.lsan03.pacbell.net |
65506 |
1 |
11/03/2004
2:11:01 PM |
|
221.151.96.144 |
- Not Found
- |
65506 |
1 |
11/03/2004
2:10:53 PM |
|
63.109.117.237 |
- Not Found
- |
65506 |
1 |
11/03/2004
2:09:22 PM |
|
210.107.69.102 |
- Not Found
- |
65506 |
1 |
11/03/2004
2:01:38 PM |
|
212.106.160.242 |
mil242.milnet.silesianet.pl |
65506 |
1 |
11/03/2004
1:58:21 PM |
|
203.218.238.41 |
pcd448041.netvigator.com |
65506 |
1 |
11/03/2004
1:30:30 AM |
|
61.177.60.194 |
- Not Found
- |
65506 |
1 |
11/03/2004
12:36:15 AM |
|
210.183.16.177 |
- Not Found
- |
65506 |
1 |
11/03/2004
12:02:07 AM |
|
211.104.126.114 |
- Not Found
- |
65506 |
1 |
10/03/2004
11:45:26 PM |
|
211.180.246.208 |
- Not Found
- |
65506 |
1 |
10/03/2004
11:35:05 PM |
|
61.109.232.106 |
CLASS4-14 |
65506 |
1 |
10/03/2004
11:21:06 PM |
|
211.168.250.214 |
- Not Found
- |
65506 |
1 |
10/03/2004
10:08:48 PM |
|
61.109.232.73 |
- Not Found
- |
65506 |
1 |
10/03/2004
9:06:49 PM |
|
210.107.78.214 |
- Not Found
- |
65506 |
1 |
10/03/2004
6:39:46 PM |
|
202.155.149.166 |
- Not Found
- |
65506 |
1 |
10/03/2004
2:51:39 PM |
|
202.101.161.218 |
- Not Found
- |
65506 |
1 |
10/03/2004
8:39:59 AM |
Link Logger Hostname Report for sources of 65506 traffic to
our PortPeeker system
This would be a good reply to a typical question we hear from users, 'why would
they want my computer, there is nothing on it'. Sometimes hackers or in this
case spammers just want your IP Address, or CPU, or Disk Space, or Bandwidth and
could really case less what is actually on your computer as that is not their
objective other then an open proxy (which is likely installed via a virus
infection). Had this honeypot really been infected and been a real spam relay
then thousands of people if not more would have received spam sent through this
computer. So it's 'lack' of security would have negatively impacted a lot of
people. If that spam contained viruses then the impact could have been far
larger. So this is a perfect example of the effect that one insecure computer
could have on others.
The internet is a community and if you let one crack house into the
neighbourhood it's likely the whole community suffers either directly or
indirectly. It would be interesting to find out how many relays these guys are
using, but I'd bet thousands, which is thousands too many.
The other issue is surrounding if spam is legal or not. Given that we certainly
didn't give consent to attempt to use this system as a spam relay, nor likely
does anyone else, that in itself is illegal (even more so if for example you had
to pay for bandwidth used). Given that it is typical for spammers to use zombies
for relays it would indicate to us that most spammers are by definition,
criminals. They could purchase their own systems, bandwidth, IP Addresses, etc
and be legal by definition of the law, but very few if any do, hence why most
spammers are not exactly well loved.
|
Latest News