[55242] in North American Network Operators' Group
Re: Tracing where it started
daemon@ATHENA.MIT.EDU (Brian Coyle)
Sat Jan 25 22:18:22 2003
From: Brian Coyle <brian@linuxwidows.com>
To: "Travis Pugh" <tdp@discombobulated.net>, <nanog@merit.edu>
Date: Sat, 25 Jan 2003 20:52:30 -0500
In-Reply-To: <014f01c2c4c1$9e2a4de0$7b00a8c0@discombobulated.net>
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 25 January 2003 17:32, Travis Pugh wrote:
[snip]
> Ditto on the sequential scan well before the actual action, except
> that mine came on Jan. 19th:
>
> Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
I have a similar packet (but only one) from the same host (time is ntp sync'd
EST).
Jan 20 12:55:47 firewall kernel: Packet log: input - ppp0 PROTO=17
67.8.33.179:1 65.83.153.253:1434 L=29 S=0x00 I=20300 F=0x0000 T=110 (#23)
> The scan went across several subnets I manage inside 209.67.0.0
> serially. My sources were all from 67.8.33.179, all source port 1.
> The actual worm propagation began to hit my logs at 00:28:16 EST Jan
> 25.
>
My first worm packet-
Jan 25 00:32:52 firewall kernel: Packet log: input - ppp0 PROTO=17
131.128.163.118:1631 65.83.153.253:1434 L=404 S=0x00 I=2610 F=0x0000 T=113
(#23)
and continued until
Jan 25 11:48:44 firewall kernel: Packet log: input - ppp0 PROTO=17
151.99.167.133:30725 65.83.153.253:1434 L=404 S=0x00 I=2 F=0x0000 T=111 (#23)
when BS.N apparently shutdown 1434.
- --
Redundancy? You can say that again!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php
iD8DBQE+Mz9gER3MuHUncBsRAuG3AJ0Xzd+QiDeX6LKHX4frfRF40xJK8gCfUgXw
g7uoFXH2N72uwLudo2OuvpI=
=Kw/8
-----END PGP SIGNATURE-----
