North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tracing where it started

  • From: Brian Coyle
  • Date: Sat Jan 25 22:19:59 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 25 January 2003 17:32, Travis Pugh wrote:

[snip]

> Ditto on the sequential scan well before the actual action, except
> that mine came on Jan. 19th:
>
> Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx


I have a similar packet (but only one) from the same host (time is ntp sync'd 
EST).


Jan 20 12:55:47 firewall kernel: Packet log: input - ppp0 PROTO=17 
67.8.33.179:1 65.83.153.253:1434 L=29 S=0x00 I=20300 F=0x0000 T=110 (#23) 

 
> The scan went across several subnets I manage inside 209.67.0.0
> serially.  My sources were all from 67.8.33.179, all source port 1.
> The actual worm propagation began to hit my logs at 00:28:16 EST Jan
> 25.
>


My first worm packet- 

Jan 25 00:32:52 firewall kernel: Packet log: input - ppp0 PROTO=17 
131.128.163.118:1631 65.83.153.253:1434 L=404 S=0x00 I=2610 F=0x0000 T=113 
(#23)

and continued until 

Jan 25 11:48:44 firewall kernel: Packet log: input - ppp0 PROTO=17 
151.99.167.133:30725 65.83.153.253:1434 L=404 S=0x00 I=2 F=0x0000 T=111 (#23) 

when BS.N apparently shutdown 1434.


- -- 
Redundancy?  You can say that again!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Brian Coyle, GCIA                         http://www.giac.org/GCIA.php

iD8DBQE+Mz9gER3MuHUncBsRAuG3AJ0Xzd+QiDeX6LKHX4frfRF40xJK8gCfUgXw
g7uoFXH2N72uwLudo2OuvpI=
=Kw/8
-----END PGP SIGNATURE-----