Odd Activity in Argus Logs

Checking my Argus logs this morning, I noticed a few odd scans. The first is to port 2 TCP, which according to the Internet Storm Center is becoming popular:


16 Jun 03 03:12:08 tcp 24.96.49.46.4396 -> my_IP.2 TIM
23 Jun 03 07:59:05 tcp 220.120.31.233.4900 -> my_IP.2 TIM


I'm also seeing scans to port 57 TCP, which has history dating to Oct 02 and Nov 02 and is a signature of a tool called FX-Scanner (analysis). Apparently port 57 is used as a host discovery mechanism. Here are three examples.


First, recon for port 1433 TCP:


12 Jun 03 18:22:17 tcp 161.53.40.97.4464 -> my_IP.57 TIM
12 Jun 03 18:22:17 icmp 161.53.40.97 <-> my_IP ECO
12 Jun 03 18:23:04 tcp 161.53.40.97.1217 -> my_IP.1433 TIM
12 Jun 03 18:25:08 tcp 161.53.42.46.2036 -> my_IP.57 TIM
12 Jun 03 18:25:08 icmp 161.53.42.46 <-> my_IP.55 ECO
12 Jun 03 18:25:55 tcp 161.53.42.46.3590 -> my_IP.1433 TIM


Next, recon for ports 80 and 21 TCP:


18 Jun 03 15:02:53 tcp 67.116.81.237.3836 -> my_IP.80 TIM
18 Jun 03 15:03:14 tcp 67.116.81.237.4067 -> my_IP.57 TIM
18 Jun 03 15:02:53 icmp 67.116.81.237 <-> my_IP ECO
18 Jun 03 15:03:35 tcp 67.116.81.237.4325 -> my_IP.21 TIM


Third, recon for ports 1433 and 445 TCP:


19 Jun 03 11:35:14 tcp 4.40.163.36.1951 -> my_IP.57 TIM
19 Jun 03 11:35:38 tcp 4.40.163.36.1725 -> my_IP.1433 TIM
19 Jun 03 11:35:13 icmp 4.40.163.36 <-> my_IP ECO
19 Jun 03 11:37:50 tcp 4.40.163.36.2221 -> my_IP.445 TIM


I'm also seeing recon for 3410 TCP. This has only picked up in the last few days. It appears to be associated with the Backdoor.OptixPro.13:


18 Jun 03 01:03:52 tcp 68.120.129.51.4730 -> my_IP.3410 TIM
19 Jun 03 08:30:49 tcp 207.190.78.253.1414 -> my_IP.3410 TIM
19 Jun 03 17:27:04 tcp 68.113.237.250.2200 -> my_IP.3410 TIM
22 Jun 03 15:27:27 tcp 12.247.109.85.1055 -> my_IP.3410 TIM
26 Jun 03 19:25:01 tcp 68.41.93.143.3327 -> my_IP.3410 TIM
29 Jun 03 11:13:00 tcp 68.169.152.189.3554 -> my_IP.3410 TIM
29 Jun 03 12:09:59 tcp 68.61.193.97.1707 -> my_IP.3410 TIM
29 Jun 03 12:40:17 tcp 68.78.131.6.1730 -> my_IP.3410 TIM
30 Jun 03 00:56:29 tcp 64.83.224.72.2246 -> my_IP.3410 TIM
30 Jun 03 02:38:13 tcp 217.231.192.242.4191 -> my_IP.3410 TIM
30 Jun 03 03:29:07 tcp 65.30.207.110.2940 -> my_IP.3410 TIM
30 Jun 03 04:02:53 tcp 24.126.135.126.1500 -> my_IP.3410 TIM
30 Jun 03 04:51:57 tcp 24.79.19.59.1319 -> my_IP.3410 TIM
30 Jun 03 05:30:51 tcp 81.103.33.198.1395 -> my_IP.3410 TIM
30 Jun 03 07:53:05 tcp 68.12.239.185.4690 -> my_IP.3410 TIM

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics