North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracing where it started
According to Clayton Fiske: > Interestingly, looking through my logs for UDP 1434, I saw a sequential > scan of my subnet like so: > > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 IN > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 IN > > All from 206.176.210.74, all source port 53 (probably trying to > use people's DNS firewall rules to get around being filtered). > > After that, I saw nothing until the storm started last night from many > different source IPs, which was at Jan 24 21:31:53 PST for me. Ditto on the sequential scan well before the actual action, except that mine came on Jan. 19th: Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx ... ... The scan went across several subnets I manage inside 209.67.0.0 serially. My sources were all from 67.8.33.179, all source port 1. The actual worm propagation began to hit my logs at 00:28:16 EST Jan 25. Cheers. -travis
|