Ticket #435 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

UFL Aug 12, 2015

Reported by: ibaldin Owned by: ibaldin
Priority: major Milestone:
Component: External: Security Incidents Version: baseline
Keywords: Cc:

Description

UF's IDS noticed what looks like RDP scanning coming from 128.227.10.125 and .126 which are public IP addresses allocated to VMs in ExoGENI.

If this is expected that's fine, just let me know and if you're planning on generating any more similar traffic so I can get it excluded properly. If this is not expected, please follow up to make sure the hosts are not compromised.

The hosts are not currently blocked but likely UFITSEC will block them in a day or so if I don't respond to them.

Thanks!

Matthew Collins
IT Expert - Systems Programmer & Administrator
Advanced Computing and Information Systems Lab, ECE
University of Florida
352-392-5414

Here's what the IDS saw for .126 (.125 is similar):

Event Summary:

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

Event Count First Seen Last Seen
----------- -------------------- --------------------
8 2015-08-12 01:11:15 2015-08-12 02:00:05

Potential RDP scan

Event Count First Seen Last Seen
----------- -------------------- --------------------
432772 2015-08-12 01:11:15 2015-08-12 02:02:35

--------------- Primary Events ----------------

Potential RDP scan
-------------------------------------------------------------------------------------
128.227.10.126 : 36555 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

Potential RDP scan
-------------------------------------------------------------------------------------
128.227.10.126 : 26340 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 41867 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:18:16 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x94"K|0x000x000x000x00P0x020xff0xff+0xfb0x000x000x

020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x000x800x000x000x000x900x000x000x00
0x0f0x000x000x00

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 32192 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:25:16 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x000x000x000x000x000x0

00x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000
x000x000x000x000x000x000x000x00

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 61358 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:32:16 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x870xcb0x8eI0x000x000x000x00P0x020xff0xff0xa6%0x00

0x000x020x040x050xb4`; 0x080x000x000x000x00)0x000x000x000xf0J 0x080xf0J 0x080x000
x000x000x00

--------------- All Events (max 20) -----------------

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 38146 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

Potential RDP scan
-------------------------------------------------------------------------------------
128.227.10.126 : 17615 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

Potential RDP scan
-------------------------------------------------------------------------------------
128.227.10.126 : 15767 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

Potential RDP scan
-------------------------------------------------------------------------------------
128.227.10.126 : 36555 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

Potential RDP scan
-------------------------------------------------------------------------------------
128.227.10.126 : 26340 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:11:15 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x00l0xa20xc10x990x840x
ac0x00P0x840xac0x8b
0x000x000x000x00XB0xff0xff0xc50xbb0x000x000x020x040x050xb4Q0x0f0x000x000x8820xcd0x0
8

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 41867 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:18:16 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x94"K|0x000x000x000x00P0x020xff0xff+0xfb0x000x000x

020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x000x800x000x000x000x900x000x000x00
0x0f0x000x000x00

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 32192 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:25:16 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x000x000x000x000x000x000x000x000x000x000x000x000x0

00x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000x000
x000x000x000x000x000x000x000x00

ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection

(Outbound)

-------------------------------------------------------------------------------------
128.227.10.126 : 61358 | 59.56.97.89 : 3389 | tcp |
2015-08-12.01:32:16 | crnsens.infosec.ufl.edu:eth4.8
-------------------------------------------------------------------------------------

0x020x040x050xb40x010x010x040x020x870xcb0x8eI0x000x000x000x00P0x020xff0xff0xa6%0x00

0x000x020x040x050xb4`; 0x080x000x000x000x00)0x000x000x000xf0J 0x080xf0J 0x080x000
x000x000x00

Change History

Changed 4 years ago by ibaldin

UFL assigned openstack range ends on .124

Changed 4 years ago by ibaldin

Slice id: UFL-agg 87f634af-3747-46e0-99f7-d918dcf87b0e on exo-sm

pequod:show>show reservations for 87f634af-3747-46e0-99f7-d918dcf87b0e actor exo-sm
78fdde52-5570-45e8-a0ad-4f58c1f4b292 exo-sm

Slice: 87f634af-3747-46e0-99f7-d918dcf87b0e
1 uflvmsite.baremetalce [ closed, nascent]
Notices: Reservation 78fdde52-5570-45e8-a0ad-4f58c1f4b292 (Slice UFL-agg) is in state [Closed,None]
Start: Sun Aug 02 00:07:30 EDT 2015 End: Wed Aug 12 00:07:31 EDT 2015 Requested end: Wed Aug 12 00:07:31 EDT 2015

aa478a9a-651b-44ce-85ba-efd1aed7056b exo-sm

Slice: 87f634af-3747-46e0-99f7-d918dcf87b0e
1 uflvmsite.lun [ closed, nascent]
Notices: Reservation aa478a9a-651b-44ce-85ba-efd1aed7056b (Slice UFL-agg) is in state [Closed,None]
Start: Sun Aug 02 00:07:30 EDT 2015 End: Wed Aug 12 00:07:31 EDT 2015 Requested end: Wed Aug 12 00:07:31 EDT 2015

c243bc71-b6da-435f-9844-6b54af207e02 exo-sm

Slice: 87f634af-3747-46e0-99f7-d918dcf87b0e
1 uflvmsite.vlan [ closed, nascent]
Notices: Reservation c243bc71-b6da-435f-9844-6b54af207e02 (Slice UFL-agg) is in state [Closed,None]
Start: Sun Aug 02 00:07:30 EDT 2015 End: Wed Aug 12 00:07:31 EDT 2015 Requested end: Wed Aug 12 00:07:31 EDT 2015

d3175fa3-f24c-494c-aece-f45eba0245de exo-sm

Slice: 87f634af-3747-46e0-99f7-d918dcf87b0e
1 uflvmsite.baremetalce [ closed, nascent]
Notices: Reservation d3175fa3-f24c-494c-aece-f45eba0245de (Slice UFL-agg) is in state [Closed,None]
Start: Sun Aug 02 00:07:30 EDT 2015 End: Wed Aug 12 00:07:31 EDT 2015 Requested end: Wed Aug 12 00:07:31 EDT 2015

dc339614-9fb6-4e94-9c0c-3cb736e3f384 exo-sm

Slice: 87f634af-3747-46e0-99f7-d918dcf87b0e
1 uflvmsite.lun [ closed, nascent]
Notices: Reservation dc339614-9fb6-4e94-9c0c-3cb736e3f384 (Slice UFL-agg) is in state [Closed,None]
Start: Sun Aug 02 00:07:30 EDT 2015 End: Wed Aug 12 00:07:31 EDT 2015 Requested end: Wed Aug 12 00:07:31 EDT 2015

Total: 5 reservations

Both IP addresses were on this slice:

pequod:show>show reservationProperties for current actor exo-sm type unit filter "128.227"
Reservation 78fdde52-5570-45e8-a0ad-4f58c1f4b292:
78fdde52-5570-45e8-a0ad-4f58c1f4b292
0 UNIT:

unit.manage.ip = 128.227.10.126
shirako.save.unit.manage.ip = 128.227.10.126

Reservation aa478a9a-651b-44ce-85ba-efd1aed7056b:
aa478a9a-651b-44ce-85ba-efd1aed7056b
0 UNIT:
Reservation c243bc71-b6da-435f-9844-6b54af207e02:
c243bc71-b6da-435f-9844-6b54af207e02
0 UNIT:
Reservation d3175fa3-f24c-494c-aece-f45eba0245de:
d3175fa3-f24c-494c-aece-f45eba0245de
0 UNIT:

unit.manage.ip = 128.227.10.125
shirako.save.unit.manage.ip = 128.227.10.125

Reservation dc339614-9fb6-4e94-9c0c-3cb736e3f384:
dc339614-9fb6-4e94-9c0c-3cb736e3f384
0 UNIT:

xmlrpc.user.dn = [sc7cq@…, urn:publicid:IDN+ch.geni.net+user+sc7cq, urn:uuid:79dc940c-3e33-4c97-a65e-35ee4fb1cf6c]

Changed 4 years ago by ibaldin

  • status changed from new to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.