kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | reply to jansm38
Re: TCP port 65506 proxy scan I'm thinking it has to do with the Phatbot/Agobot backdoor worm/trojan that's been pushed to Mydoom-infected boxes over the past few days. From what I've read it installs a proxy on port 65506. |
|
 catseyenuAck PfftPremium
join:2001-11-17
Fix East | said by kpatz:
I'm thinking it has to do with the Phatbot/Agobot backdoor worm/trojan that's been pushed to Mydoom-infected boxes over the past few days. From what I've read it installs a proxy on port 65506.
I think you nailed it. |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | My 65506 'pot has been targeted 40 times since I put it up yesterday morning - so far only two have pushed data (which I posted earlier), the rest have been connection made, but no data passed.
I haven't seen the "CONNECT [ipaddress]" strings that Link Logger has seen yet. Looks like some sort of spam proxying attempt to me. Was any additional data pushed afterward, such as the contents of the spam? Or did it just drop the connection when it failed to receive the desired response? |
|
| said by kpatz:
My 65506 'pot has been targeted 40 times since I put it up yesterday morning - so far only two have pushed data (which I posted earlier), the rest have been connection made, but no data passed.
Some of those may be your ISP scanning for it like Cox has: »Security scan 28745 - 28747 |
|
|
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
1 edit | reply to kpatz
They are definitely trying to use my pot as a spam proxy, but of course it fails and the only thing I see are the connect attempts. That is why I said a bunch of people owe me for screwing up this attempt otherwise they would be getting spam.
Edit -> just checked it and its still being used by at least 35 IP Addresses and over a 1000 hits.
Blake |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | reply to inTulsa
said by inTulsa:
Some of those may be your ISP scanning for it like Cox has: »Security scan 28745 - 28747
I just checked the logs - though I've seen some scans from Comcast IPs they appear to be customer DHCP IP addresses and not security scans originated by Comcast. If they do start scanning I guess I'd have to take my honeypot down so they don't accuse me of being a spam zombie. 
Whoa... I'm getting the spam proxy attempts on my pot now. Update at 11... I may take the pot down shortly to protect my internet connection... |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
3 edits | Update: I logged the following spam proxy attempts before I shut down the pot on 65506 and closed the port on the firewall. These came in over a approx. 30 minute period. The first column is the source IP/port, the rest was the data passed by that IP/port. quote:
209.126.185.85:4287 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:3722 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:1036 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:2960 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:1329 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:4687 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:2062 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:4925 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:2537 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:3694 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:1589 CONNECT maila.microsoft.com 25 HTTP/1.0
209.126.185.85:2828 CONNECT maila.microsoft.com 25 HTTP/1.0
66.36.240.76:2859 CONNECT 212.12.0.3 25 HTTP/1.0
66.36.240.76:4351 CONNECT 205.167.84.40 25 HTTP/1.0
66.36.240.76:1371 CONNECT 212.17.0.22 25 HTTP/1.0
66.36.240.76:1577 CONNECT 69.93.117.246 25 HTTP/1.0
66.36.240.76:1712 CONNECT 81.221.250.53 25 HTTP/1.0
66.36.240.76:2266 CONNECT 213.149.32.10 25 HTTP/1.0
209.126.185.150:1822 CONNECT 165.21.74.114 25 HTTP/1.0
209.126.185.150:4108 CONNECT 12.33.95.4 25 HTTP/1.0
209.126.185.150:4219 CONNECT 165.76.15.136 25 HTTP/1.0
209.51.212.114:2160 CONNECT 152.160.7.138 25 HTTP/1.0
66.36.240.76:2051 CONNECT 205.188.158.57 25 HTTP/1.0
209.51.212.114:3601 CONNECT 216.69.192.37 25 HTTP/1.0
209.51.212.114:1898 CONNECT 12.16.224.9 25 HTTP/1.0
209.51.212.130:3472 CONNECT 198.165.246.16 25 HTTP/1.0
66.36.240.76:4218 CONNECT 196.15.163.22 25 HTTP/1.0
66.36.240.76:4636 CONNECT 207.150.192.13 25 HTTP/1.0
209.126.185.150:1228 CONNECT 12.158.34.245 25 HTTP/1.0
209.51.212.130:3914 CONNECT 207.175.220.60 25 HTTP/1.0
209.51.212.130:4488 CONNECT 207.154.64.17 25 HTTP/1.0
66.36.240.76:2589 CONNECT 207.1.160.162 25 HTTP/1.0
209.51.212.114:3918 CONNECT 141.154.93.109 25 HTTP/1.0
66.36.240.76:1084 CONNECT 4.42.225.83 25 HTTP/1.0
209.51.212.130:1958 CONNECT 80.161.239.146 25 HTTP/1.0
209.51.212.130:4045 CONNECT 65.38.161.99 25 HTTP/1.0
209.126.185.150:2907 CONNECT 192.246.76.129 25 HTTP/1.0
209.126.185.150:3045 CONNECT 12.158.34.245 25 HTTP/1.0
66.36.240.76:1451 CONNECT 62.142.5.28 25 HTTP/1.0
66.36.240.76:3440 CONNECT 63.240.161.100 25 HTTP/1.0
209.126.185.150:3985 CONNECT 209.202.220.212 25 HTTP/1.0
209.51.212.114:4508 CONNECT 66.209.74.41 25 HTTP/1.0
209.51.212.130:3498 CONNECT 192.138.195.38 25 HTTP/1.0
209.51.212.130:1611 CONNECT 209.114.200.45 25 HTTP/1.0
209.51.212.114:2327 CONNECT 64.124.170.131 25 HTTP/1.0
209.51.212.114:2453 CONNECT 199.171.54.203 25 HTTP/1.0
209.51.212.114:2684 CONNECT 66.250.110.252 25 HTTP/1.0
209.51.212.114:3400 CONNECT 65.116.133.2 25 HTTP/1.0
209.51.212.130:3105 CONNECT 63.112.169.25 25 HTTP/1.0
66.36.240.76:2806 CONNECT 24.4.56.51 25 HTTP/1.0
209.51.212.130:2322 CONNECT 194.182.148.158 25 HTTP/1.0
209.51.212.130:1426 CONNECT 216.70.31.96 25 HTTP/1.0
209.51.212.114:2275 CONNECT 212.107.32.204 25 HTTP/1.0
209.126.185.150:1192 CONNECT 168.171.3.252 25 HTTP/1.0
209.126.185.150:4079 CONNECT 216.200.145.35 25 HTTP/1.0
209.51.212.130:2719 CONNECT 64.224.219.122 25 HTTP/1.0
209.51.212.130:4801 CONNECT 202.147.57.6 25 HTTP/1.0
66.36.240.76:3514 CONNECT 165.76.15.136 25 HTTP/1.0
66.36.240.76:3579 CONNECT 207.212.37.163 25 HTTP/1.0
66.36.240.76:3826 CONNECT 63.82.150.4 25 HTTP/1.0
209.51.212.130:1936 CONNECT 63.240.165.100 25 HTTP/1.0
209.51.212.130:1123 CONNECT 193.189.160.18 25 HTTP/1.0
209.126.185.150:4769 CONNECT 207.188.222.21 25 HTTP/1.0
209.126.185.150:2112 CONNECT 216.173.237.171 25 HTTP/1.0
209.126.185.150:2868 CONNECT 63.68.159.251 25 HTTP/1.0
209.51.212.114:1300 CONNECT 63.240.161.100 25 HTTP/1.0
209.126.185.150:1265 CONNECT 209.202.222.10 25 HTTP/1.0
209.51.212.114:1947 CONNECT 66.111.12.66 25 HTTP/1.0
209.126.185.150:2194 CONNECT 12.147.64.228 25 HTTP/1.0
209.126.185.150:2657 CONNECT 219.94.53.243 25 HTTP/1.0
209.51.212.114:4682 CONNECT 12.106.7.82 25 HTTP/1.0
209.51.212.114:1945 CONNECT 12.158.34.245 25 HTTP/1.0
209.126.185.150:1882 CONNECT 199.171.54.202 25 HTTP/1.0
209.51.212.130:2455 CONNECT 207.20.18.130 25 HTTP/1.0
209.126.185.150:2302 CONNECT 216.185.69.72 25 HTTP/1.0
209.51.212.130:1132 CONNECT 216.221.54.42 25 HTTP/1.0
209.51.212.130:1162 CONNECT 12.158.38.251 25 HTTP/1.0
209.51.212.130:4543 CONNECT 199.224.64.60 25 HTTP/1.0
They're still hitting the port... hopefully they'll stop soon now that it's closed. |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | I've had nearly 1000 hits on 65506 in the past 34 minutes, and the port is closed. This is getting ridiculous. |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 | reply to kpatz
Yep I'm seeing these too, b@stards, which is interesting as it appears to be the same group that hit both of our pots.
Blake |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
2 edits | Once my Linux box compiles the firewall logs (it does this once per hour), I can compile statistics per IP. Maybe fire off a few emails to ISP abuse addresses...
1415 hits now. Good thing they're just SYN packets, nothing to choke my 'net connection. Still, they're freakin' idiots, connection refused means just that, hitting the port repeatedly isn't going to make it magically open up again... |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | Here's the hardest hitting IPs:
SourceIP,Host Name,Count
69.44.157.236,mn1.mixman.at,182
69.44.155.167,ev1.blad.nl,180
69.44.154.211,dns.exotic.de,164
69.44.152.226,df1.kilma.se,163
209.51.212.114,,162
209.51.212.130,,160
69.44.157.23,ws1.laxku.ch,159
69.44.156.234,om.monasterio.cr,159
209.126.185.150,,158
209.126.185.145,,149
69.44.157.21,ns1.jindira.ch,144
216.65.116.155,,131
216.65.117.98,,129
216.65.117.94,,121
209.126.185.85,,117
216.65.117.7,,114
69.44.157.26,dt2.primorski.se,106
66.36.240.76,sls-ce12p13.dca2.superb.net,104
203.98.177.84,,69 |
|
