Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: CSAM Some more unusual scans - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CSAM Some more unusual scans

Most of us who regularly look at firewall and other logs get to know the usual targets, 22, 5900, 5060, etc.  Most of the time these are fairly obvious and self explanetory.  However on occasion you do see some that are a bit more unusual.  For example this morning a scan was detected along these lines: 

src                             Dest IP                       dport   -->         1723 (pptp)   -->         1723 (pptp)   -->         1723 (pptp)   -->         1723 (pptp)   -->       1723 (pptp)   -->       1723 (pptp)

A port scan looking for PPTP VPN connections, not something you see every day. The next step when a connection is made? not sure,  if you have any packets or logs you can share relating to this that would be much appreciated.  

Another scan picked up was a brute force password guessing attempt with a small change:

Sep 17 13:38:32 zprd sshd[83594]: Invalid user ant from
Sep 17 13:38:36 zprd sshd[83598]: Invalid user office from
Sep 17 13:38:39 zprd sshd[83601]: Invalid user pc from
Sep 17 13:38:43 zprd sshd[83604]: Invalid user bureau from
Sep 17 13:38:46 zprd sshd[83607]: Invalid user jasmin from
Sep 17 13:38:50 zprd sshd[83612]: Invalid user laura from
Sep 17 13:38:53 zprd sshd[83615]: Invalid user david from
Sep 17 13:38:57 zprd sshd[83618]: Invalid user david from
Sep 17 13:39:00 zprd sshd[83621]: Invalid user scanner from
Sep 17 13:39:04 zprd sshd[83624]: Invalid user webmaster from

Instead of guessing the same userid with many passwords, they are guessing one password with many different userids.  Works more often than you would think and also stays below the lockout threshold.   We saw this about April-May last year, but it looks like it is still going strong. 

Enjoy digging. 




392 Posts
ISC Handler
Oct 11th 2013
I have been seeing this 1-pw-many-users thing pretty much constantly for years.

133 Posts
I have over the last 3 - 4 months seen attempts to brute force PPTP accounts. Many different usernames and I assume the same password as the attempts rarely lock an account out.

69 Posts
This is what I have been receiving about once a day on my router:

Nov 30 00:53:23 pptpd[6174]: CTRL: Client control connection started
Nov 30 00:53:23 pptpd[6174]: CTRL: EOF or bad error reading ctrl packet length.
Nov 30 00:53:23 pptpd[6174]: CTRL: couldn't read packet header (exit)
Nov 30 00:53:23 pptpd[6174]: CTRL: CTRL read failed
Nov 30 00:53:23 pptpd[6174]: CTRL: Client control connection finished
1 Posts

Sign Up for Free or Log In to start participating in the conversation!