[55220] in North American Network Operators' Group
Re: Tracing where it started
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Sat Jan 25 20:20:53 2003
Date: Sat, 25 Jan 2003 19:05:05 -0500
From: "Johannes Ullrich" <jullrich@euclidian.com>
To: "Travis Pugh" <tdp@discombobulated.net>
Cc: nanog@merit.edu
X-Qmail-Scanner-Mail-From: jullrich@euclidian.com via server.euclidian.com
In-Reply-To: <014f01c2c4c1$9e2a4de0$7b00a8c0@discombobulated.net>
Errors-To: owner-nanog-outgoing@merit.edu
Here are the IPs I got at 5:29:40 GMT, the time I got 10 packets / second
+-----------------+
| source |
+-----------------+
| 216.069.032.086 | Kentucky Community and Technical College System
| 066.223.041.231 | Interland
| 216.066.011.120 | Hurricane Electric
| 216.098.178.081 | V-Span, Inc.
+-----------------+
Here the traffic on port 1434 broken down to seconds around that time
(note: I get data from diverse sources, so clock drifts may be an issue)
| 05:29:33 | 7 |
| 05:29:34 | 8 |
| 05:29:35 | 4 |
| 05:29:36 | 8 |
| 05:29:37 | 7 |
| 05:29:38 | 7 |
| 05:29:39 | 5 |
| 05:29:40 | 10 |
| 05:29:41 | 12 |
| 05:29:42 | 14 |
| 05:29:43 | 12 |
| 05:29:44 | 16 |
| 05:29:45 | 18 |
| 05:29:46 | 20 |
On Sat, 25 Jan 2003 17:32:17 -0500
"Travis Pugh" <tdp@discombobulated.net> wrote:
>
>
> According to Clayton Fiske:
>
> > Interestingly, looking through my logs for UDP 1434, I saw a
> sequential
> > scan of my subnet like so:
> >
> > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33
> IN
> > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33
> IN
> > Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33
> IN
> >
> > All from 206.176.210.74, all source port 53 (probably trying to
> > use people's DNS firewall rules to get around being filtered).
> >
> > After that, I saw nothing until the storm started last night from
> many
> > different source IPs, which was at Jan 24 21:31:53 PST for me.
>
> Ditto on the sequential scan well before the actual action, except
> that mine came on Jan. 19th:
>
> Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
> ...
> ...
>
> The scan went across several subnets I manage inside 209.67.0.0
> serially. My sources were all from 67.8.33.179, all source port 1.
> The actual worm propagation began to hit my logs at 00:28:16 EST Jan
> 25.
>
> Cheers.
>
> -travis
>
>
--
--------------------------------------------------------------------
jullrich@euclidian.com Collaborative Intrusion Detection
join http://www.dshield.org
