Observing a Full Internet Portscan over time – From Russia with Love (or Exploit)

Hello,

recently there was a Internet Census that went trough the media:

http://internetcensus2012.github.com/InternetCensus2012/paper.html

I found this really intresting and wonder:

  • What will happen with the data produced by this study?
  • How many botnets will appear because auf the simple fact that it is now public knowledge how easy it is to find 400.000 open shells with nmap?
  • Will the publicity even work in favor of security and bring up the “overall security of the Internet” a notch?

In February we wittnessed an ongoing scan of the entire public IP Adress space ourselves:

The company where I work has, like most global companies, a Wide-Area-Network that connects several countries arround the world. We also have a lot of Internet Connections (Main broadband connections and smaller SoHo uplinks) which are spread widely through the public IP Adress space.

So in february our IPS alerted on a Portscan from an russian IP: 78.138.161.1xx (anonymized to save myself from script-kiddy retaliation or privacy lawsuite-whatsoever).

As I kept track of this event I notice the same IP scanning another Location connected to our WAN. So upon investigating futher it was clear that this IP is scanning the entire Public IP Address space slowly. Up to now we could witness portscans (at least common ports, including high-ports) in the following IP adress ranges:

March 22nd: 83.246.x.y
March 15th: 81.210.x.y
March 12th: 79.206.x.y
March 8th: 77.21.x.y
March 7th: 76.14.x.y
March 7th: 74.202.x.y
February 20th: 66.162.x.y
February 15th: 62.157.x.y

Additionally they seem to be after RDP Ports specifically lately as I witnessed scans to on tcp 3389 lately:

March 21st: 217.6.x.y
March 21st: 194.176.x.y
March 21st: 81.14.x.y
March 21st: 79.206.x.y
March 21st: 77.21.x.y
March 21st: 62.157.x.y
March 20th: 83.246.x.y

So why am I writing about this?

I dont have anything against portscanning for constructive purposes (reasearch, knowledge) however based on the fact that the source country  is russia, which is known for heavy internet criminality, and the type of scans I suspect the results of this scan will serve illegal purposes.

Maybe the scan results are sold in “hacker boards” next to CC Data or other informations. Or they use the results to deploy a botnet.

Or maybe this is just a single person who discovered nessus for the first time and got curious.

I dont know what the reason for this scan is but it is the first scan of this kind I was able to track in our Fireall-/IPS-Logs. So I will continue to monitor this IP Adress from time to time to see if the Portscans change and watch for targeted attacks from this IP Adress.

Probably we will not see the later simply because even a script kiddy wouldnt shit where he (it?) eats and would not compromise his scanner (data supply). But then again, maybe nobody cares about such things in russia, or he just doesnt care and will do it anyways.

I will write a follow up post if I see anything new happening or observe a change of tactic in the scanning patterns.

Feel free to leave a comment if you know more about this IP / Portscan. I can also send you the uncensored IP Adress via email if you like to search you logs for it.

Regards
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in miscellaneous and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s