RST scans!

Wednesday, September 2, 2009
A few days ago I checked the logs of my router. This is what I found:

[DoS Attack: RST Scan] from source: 67.241.89.5, port 55914, Friday, August 28,2009 02:13:35
[DoS Attack: RST Scan] from source: 68.175.34.113, port 58928, Friday, August 28,2009 01:55:51
[DoS Attack: RST Scan] from source: 70.88.37.229, port 5900, Friday, August 28,2009 01:55:39
[DoS Attack: RST Scan] from source: 70.88.37.229, port 3283, Friday, August 28,2009 01:54:27
[DoS Attack: RST Scan] from source: 67.241.89.5, port 53102, Friday, August 28,2009 01:42:11
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:26:18
[DoS Attack: RST Scan] from source: 207.68.225.83, port 2121, Friday, August 28,2009 01:26:16
[DoS Attack: RST Scan] from source: 207.68.225.83, port 5560, Friday, August 28,2009 01:26:08
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1580, Friday, August 28,2009 01:26:04
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:25:58
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:25:54
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1151, Friday, August 28,2009 01:25:48
[DoS Attack: RST Scan] from source: 207.68.225.83, port 50001, Friday, August 28,2009 01:25:44
[DoS Attack: RST Scan] from source: 207.68.225.83, port 143, Friday, August 28,2009 01:25:40
[DoS Attack: RST Scan] from source: 207.68.225.83, port 5987, Friday, August 28,2009 01:25:36
[DoS Attack: RST Scan] from source: 207.68.225.83, port 2190, Friday, August 28,2009 01:25:28
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:25:26
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:25:26
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:25:22
[DoS Attack: RST Scan] from source: 207.68.225.83, port 9877, Friday, August 28,2009 01:25:04
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:24:58
[DoS Attack: RST Scan] from source: 207.68.225.83, port 34572, Friday, August 28,2009 01:24:56
[DoS Attack: RST Scan] from source: 207.68.225.83, port 5633, Friday, August 28,2009 01:24:52
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:24:38
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:24:35
[DoS Attack: RST Scan] from source: 207.68.225.83, port 13456, Friday, August 28,2009 01:24:32
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1093, Friday, August 28,2009 01:24:20
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1461, Friday, August 28,2009 01:24:16
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:24:15
[DoS Attack: RST Scan] from source: 207.68.225.83, port 7, Friday, August 28,2009 01:24:04
[DoS Attack: RST Scan] from source: 207.68.225.83, port 6059, Friday, August 28,2009 01:24:00
[DoS Attack: RST Scan] from source: 207.68.225.83, port 14441, Friday, August 28,2009 01:23:52
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:23:51
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1049, Friday, August 28,2009 01:23:48
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:23:18
[DoS Attack: RST Scan] from source: 207.68.225.83, port 44443, Friday, August 28,2009 01:23:16
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:23:14
[DoS Attack: RST Scan] from source: 207.68.225.83, port 44443, Friday, August 28,2009 01:23:12
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:23:02
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1248, Friday, August 28,2009 01:22:56
[DoS Attack: RST Scan] from source: 207.68.225.83, port 50636, Friday, August 28,2009 01:22:52
[DoS Attack: RST Scan] from source: 207.68.225.83, port 2107, Friday, August 28,2009 01:22:44
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:22:38
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:22:34
[DoS Attack: RST Scan] from source: 207.68.225.83, port 16012, Friday, August 28,2009 01:22:24
[DoS Attack: RST Scan] from source: 207.68.225.83, port 617, Friday, August 28,2009 01:22:20
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:22:14
[DoS Attack: RST Scan] from source: 207.68.225.83, port 10003, Friday, August 28,2009 01:22:04
[DoS Attack: RST Scan] from source: 207.68.225.83, port 9415, Friday, August 28,2009 01:22:04
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1719, Friday, August 28,2009 01:21:56
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:21:54
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:21:46
[DoS Attack: RST Scan] from source: 207.68.225.83, port 4343, Friday, August 28,2009 01:21:40
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:21:38
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:21:30
[DoS Attack: RST Scan] from source: 207.68.225.83, port 5802, Friday, August 28,2009 01:21:24
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:21:18
[DoS Attack: RST Scan] from source: 207.68.225.83, port 9050, Friday, August 28,2009 01:21:16
[DoS Attack: RST Scan] from source: 70.88.37.229, port 5800, Friday, August 28,2009 01:21:11
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:21:06
[DoS Attack: RST Scan] from source: 207.68.225.83, port 28201, Friday, August 28,2009 01:21:04
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:20:50
[DoS Attack: RST Scan] from source: 207.68.225.83, port 9000, Friday, August 28,2009 01:20:44
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:20:42
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1301, Friday, August 28,2009 01:20:40
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:20:30
[DoS Attack: RST Scan] from source: 77.97.181.176, port 8080, Friday, August 28,2009 01:20:18
[DoS Attack: RST Scan] from source: 207.68.225.83, port 8652, Friday, August 28,2009 01:20:16
[DoS Attack: RST Scan] from source: 207.68.225.83, port 32779, Friday, August 28,2009 01:20:04
[DoS Attack: RST Scan] from source: 173.29.217.194, port 49156, Friday, August 28,2009 01:19:58
[DoS Attack: RST Scan] from source: 207.68.225.83, port 6510, Friday, August 28,2009 01:19:56
[DoS Attack: RST Scan] from source: 207.68.225.83, port 1070, Friday, August 28,2009 01:19:48

Now I am not really sure what to make of all of this. What surprised me was that there were so many different IP addresses but all of them were using the same kind of an attack. So I decided to do a bit of investigating and I port scanned some of these addresses. Soon I came across what seemed to me to be a honeypot. The results of the port scanned I have pasted below:

@services=1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,
119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,
389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,
563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,
777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,
1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,
1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,
1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,
1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,
1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,
1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,
2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,
2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,
2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,
2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,
3011,3013,3017,3030-3031,3050,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,
3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,
3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,
3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,
4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,
5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,
5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,
5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,
5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,
6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,
6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,
7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,
8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,
8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,
8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,
9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,
9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,
10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,
13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,
16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,
20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,
27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,
34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,
49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,
52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,
60443,61532,61900,62078,63331,64623,64680,65000,65129,65389

Almost every imagianable port is open. I mean that has to be a honeypot. It can not be any thing else. If I was more specific this looks to me a lot like the windows opensource honeypot which I my self experimented with on many a occasion. It opens over a thousand ports. So I would say that this machine is running some version of windows on it with the honeypot. There is probablly some firewall behind it so there is not point in going any further because I am sure it is very secure. So I did the only thing that I could. I reported the IP address on a website. Which proves that there is a bit of a white hat hacker in me. If these actions translate into white hat hacker acts I do not know but I do not like script kiddies that dose and stuff like that. It is all very lame.

2 comments:

Anonymous said...

Or... you download torrents and have a stupid router that thinks a bunch of people connecting to you = attack.

And your "honeypot" could be a seedbox.

lyecdevf said...

I would not say so. The routers firmware was pretty good and so was the router it self.