System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.
24 hours 500 destination port events1 week destination port 500 event1 month destination port 500 events1 year destination port 500 eventssource ports repartition for destination port 500source countries repartition for destination port 500
24 hours 49153 destination port events1 week destination port 49153 event1 month destination port 49153 events1 year destination port 49153 eventssource ports repartition for destination port 49153source countries repartition for destination port 49153
Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.
Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288 “WEB_SERVER Attack Tool Revolt Scanner“.
You can find here, the typical list of directories how are scanned by revolt.
Here under you can find the latest statistics for Revolt Agent activities.
1 Month SIG 2009288 events activitiesOne year SIG 2009288 events activities1 Month TOP 10 source IPs for SIG 2009288TOP 20 source countries for SIG 2009288
Same as many other Honey Net, we detected activities with static source port 6000 in destination of above destination ports.
This 6000/TCP port, is well know for targeting Microsoft-SQL-Server 1433/TCP, but has involve to target Oracle 1521/TCP.
Since a few days, source port 6000/TCP is targeting new destination ports : 8000/TCP, 8080/TCP and 9090/TCP.
Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.
24 hours source port 6000 events1 week source port 6000 events1 month source port 6000 events1 year source port 6000 eventsSource port 6000 source countries repartitionSource port 6000 destination ports repartition