Tracing where it started

• Previous message (by thread): Tracing where it started
• Next message (by thread): Tracing where it started
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Clayton Fiske (clay at bloomcounty.org) [030125 12:55] writeth:
>
>On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
>> It might be interesting if some people were to post when they received
>> their first attack packet, and where it came from, if they happened to
>> be logging. 
>> 
>> Here is the first packet we logged:
>> Jan 25 00:29:37 EST 216.66.11.120
>
>Interestingly, looking through my logs for UDP 1434, I saw a sequential
>scan of my subnet like so:
>
>Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN

I'm not sure that going back that far is going to offer anything
conclusive, as it could have been any number of scanners looking for
vulnerabilities.  Looking at my logs back to the 19th, I have isolated hits
on the 19th and 23rd.  However, they really started to come in force at
22:29:39 MDT, two seconds after Clayton's.  My first attempt came from an
IP owned by Level 3 Comm.

Jan 23 02:43:44 c6509-core 10829487: 47w0d: %SEC-6-IPACCESSLOGP: list 130
denied udp 192.41.65.170(48962) -> 166.70.10.63(1434), 1 packet
Jan 24 22:29:39 c6509-core 10966964: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 65.57.250.28(1210) -> 204.228.150.9(1434), 1 packet
Jan 24 22:29:44 border 7577864: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 129.219.122.204(1170) -> 204.228.132.100(1434), 1 packet
Jan 24 22:29:50 border 7577865: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 212.67.198.3(1035) -> 166.70.22.47(1434), 1 packet
Jan 24 22:29:52 xmission-paix 425068: 7w0d: %SEC-6-IPACCESSLOGP: list 100
denied udp 61.103.121.140(3546) -> 166.70.22.87(1434), 1 packet
Jan 24 22:29:52 border 7577868: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 65.57.250.28(1210) -> 204.228.132.18(1434), 1 packet
Jan 24 22:29:55 c6509-core 10966977: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 61.103.121.140(3546) -> 166.70.10.8(1434), 1 packet
Jan 24 22:29:57 c6509-core 10966979: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 12.24.139.231(3315) -> 204.228.140.81(1434), 1 packet
Jan 24 22:29:58 c6509-core 10966980: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 140.115.113.252(3780) -> 207.135.133.228(1434), 1 packet
Jan 24 22:29:59 c6509-core 10966981: 47w1d: %SEC-6-IPACCESSLOGP: list 130
denied udp 17.193.12.215(3117) -> 207.135.155.209(1434), 1 packet
Jan 24 22:30:00 border 7577873: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
udp 209.15.147.225(4543) -> 204.228.133.186(1434), 1 packet

• Previous message (by thread): Tracing where it started
• Next message (by thread): Tracing where it started
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]