North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracing where it started
Here are the IPs I got at 5:29:40 GMT, the time I got 10 packets / second +-----------------+ | source | +-----------------+ | 216.069.032.086 | Kentucky Community and Technical College System | 066.223.041.231 | Interland | 216.066.011.120 | Hurricane Electric | 216.098.178.081 | V-Span, Inc. +-----------------+ Here the traffic on port 1434 broken down to seconds around that time (note: I get data from diverse sources, so clock drifts may be an issue) | 05:29:33 | 7 | | 05:29:34 | 8 | | 05:29:35 | 4 | | 05:29:36 | 8 | | 05:29:37 | 7 | | 05:29:38 | 7 | | 05:29:39 | 5 | | 05:29:40 | 10 | | 05:29:41 | 12 | | 05:29:42 | 14 | | 05:29:43 | 12 | | 05:29:44 | 16 | | 05:29:45 | 18 | | 05:29:46 | 20 | On Sat, 25 Jan 2003 17:32:17 -0500 "Travis Pugh" <[email protected]> wrote: > > > According to Clayton Fiske: > > > Interestingly, looking through my logs for UDP 1434, I saw a > sequential > > scan of my subnet like so: > > > > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 > IN > > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33 > IN > > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33 > IN > > > > All from 206.176.210.74, all source port 53 (probably trying to > > use people's DNS firewall rules to get around being filtered). > > > > After that, I saw nothing until the storm started last night from > many > > different source IPs, which was at Jan 24 21:31:53 PST for me. > > Ditto on the sequential scan well before the actual action, except > that mine came on Jan. 19th: > > Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx > ... > ... > > The scan went across several subnets I manage inside 209.67.0.0 > serially. My sources were all from 67.8.33.179, all source port 1. > The actual worm propagation began to hit my logs at 00:28:16 EST Jan > 25. > > Cheers. > > -travis > > -- -------------------------------------------------------------------- [email protected] Collaborative Intrusion Detection join http://www.dshield.org
|