Request for info - Scan and webmail
Last Updated: 2009-01-30 22:38:49 UTC
by Mark Hofman (Version: 1)
Two readers brought something interesting to our attention and we're asking if you have some info that may help us determine what is happening.
Port scan sourcing from ports: [1-9]345
A reader noticed that the scans hitting his network have something in common. The source ports are all 4 digits and end in 345. The target IP addresses and destination ports seem random. So if you have some logs that display the same characteristics we'd be interested in taking a peek. Of course if you happen to know off the top of you head what tool might be generating these, that would be good to know as well. The source IPs are predominantly in China, but US IP addresses are starting to show up as well.
Brute forcing webmail passwords and then sending SPAM using those webmail accounts is nothing new. One reader however noticed that in their network the volume of messages sent through one account was very high, suggesting that it may have been automated. Again if you have some logs we'd be interested in taking a look. (The logs I'm looking for are not the brute force attack, but the web/mail log of the account being used to send mail). The source IPs of the few examples I've seen are IP addresses in Nigeria.
Mark H - Shearwater