Most of us who regularly look at firewall and other logs get to know the usual targets, 22, 5900, 5060, etc. Most of the time these are fairly obvious and self explanetory. However on occasion you do see some that are a bit more unusual. For example this morning a scan was detected along these lines:
src Dest IP dport
184.108.40.206 –> 2xx.xxx.xxx.67 1723 (pptp)
220.127.116.11 –> 2xx.xxx.xxx.83 1723 (pptp)
18.104.22.168 –> 2xx.xxx.xxx.96 1723 (pptp)
22.214.171.124 –> 2xx.xxx.xxx.23 1723 (pptp)
126.96.36.199 –> 2xx.xxx.xxx.114 1723 (pptp)
188.8.131.52 –> 2xx.xxx.xxx.200 1723 (pptp)
A port scan looking for PPTP VPN connections, not something you see every day. The next step when a connection is made? not sure, if you have any packets or logs you can share relating to this that would be much appreciated.
Another scan picked up was a brute force password guessing attempt with a small change:
Sep 17 13:38:32 zprd sshd: Invalid user ant from 184.108.40.206
Sep 17 13:38:36 zprd sshd: Invalid user office from 220.127.116.11
Sep 17 13:38:39 zprd sshd: Invalid user pc from 18.104.22.168
Sep 17 13:38:43 zprd sshd: Invalid user bureau from 22.214.171.124
Sep 17 13:38:46 zprd sshd: Invalid user jasmin from 126.96.36.199
Sep 17 13:38:50 zprd sshd: Invalid user laura from 188.8.131.52
Sep 17 13:38:53 zprd sshd: Invalid user david from 184.108.40.206
Sep 17 13:38:57 zprd sshd: Invalid user david from 220.127.116.11
Sep 17 13:39:00 zprd sshd: Invalid user scanner from 18.104.22.168
Sep 17 13:39:04 zprd sshd: Invalid user webmaster from 22.214.171.124
Instead of guessing the same userid with many passwords, they are guessing one password with many different userids. Works more often than you would think and also stays below the lockout threshold. We saw this about April-May last year, but it looks like it is still going strong.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reposted from SANS. View original.