North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracing where it started
Our first (this is EST): Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14 34 (default) 61.103.121.140 = a host somewhere on GBLX On Sat, 25 Jan 2003, Pete Ashdown wrote: > > * Clayton Fiske ([email protected]) [030125 12:55] writeth: > > > >On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote: > >> It might be interesting if some people were to post when they received > >> their first attack packet, and where it came from, if they happened to > >> be logging. > >> > >> Here is the first packet we logged: > >> Jan 25 00:29:37 EST 216.66.11.120 > > > >Interestingly, looking through my logs for UDP 1434, I saw a sequential > >scan of my subnet like so: > > > >Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN > > I'm not sure that going back that far is going to offer anything > conclusive, as it could have been any number of scanners looking for > vulnerabilities. Looking at my logs back to the 19th, I have isolated hits > on the 19th and 23rd. However, they really started to come in force at > 22:29:39 MDT, two seconds after Clayton's. My first attempt came from an > IP owned by Level 3 Comm. > > Jan 23 02:43:44 c6509-core 10829487: 47w0d: %SEC-6-IPACCESSLOGP: list 130 > denied udp 192.41.65.170(48962) -> 166.70.10.63(1434), 1 packet > Jan 24 22:29:39 c6509-core 10966964: 47w1d: %SEC-6-IPACCESSLOGP: list 130 > denied udp 65.57.250.28(1210) -> 204.228.150.9(1434), 1 packet > Jan 24 22:29:44 border 7577864: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied > udp 129.219.122.204(1170) -> 204.228.132.100(1434), 1 packet > Jan 24 22:29:50 border 7577865: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied > udp 212.67.198.3(1035) -> 166.70.22.47(1434), 1 packet > Jan 24 22:29:52 xmission-paix 425068: 7w0d: %SEC-6-IPACCESSLOGP: list 100 > denied udp 61.103.121.140(3546) -> 166.70.22.87(1434), 1 packet > Jan 24 22:29:52 border 7577868: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied > udp 65.57.250.28(1210) -> 204.228.132.18(1434), 1 packet > Jan 24 22:29:55 c6509-core 10966977: 47w1d: %SEC-6-IPACCESSLOGP: list 130 > denied udp 61.103.121.140(3546) -> 166.70.10.8(1434), 1 packet > Jan 24 22:29:57 c6509-core 10966979: 47w1d: %SEC-6-IPACCESSLOGP: list 130 > denied udp 12.24.139.231(3315) -> 204.228.140.81(1434), 1 packet > Jan 24 22:29:58 c6509-core 10966980: 47w1d: %SEC-6-IPACCESSLOGP: list 130 > denied udp 140.115.113.252(3780) -> 207.135.133.228(1434), 1 packet > Jan 24 22:29:59 c6509-core 10966981: 47w1d: %SEC-6-IPACCESSLOGP: list 130 > denied udp 17.193.12.215(3117) -> 207.135.155.209(1434), 1 packet > Jan 24 22:30:00 border 7577873: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied > udp 209.15.147.225(4543) -> 204.228.133.186(1434), 1 packet > -- Alex Rubenstein, AR97, K2AHR, [email protected], latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
|