Tracing where it started

Alex Rubenstein alex at nac.net
Sat Jan 25 22:52:31 UTC 2003



Our first (this is EST):

Jan 25 00:29:44 external.firewall1.oct.nac.net firewalld[109]: deny in
eth0 404 udp 20 114 61.103.121.140 66.246.x.x 3546 14
34 (default)

61.103.121.140 = a host somewhere on GBLX





On Sat, 25 Jan 2003, Pete Ashdown wrote:

>
> * Clayton Fiske (clay at bloomcounty.org) [030125 12:55] writeth:
> >
> >On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
> >> It might be interesting if some people were to post when they received
> >> their first attack packet, and where it came from, if they happened to
> >> be logging.
> >>
> >> Here is the first packet we logged:
> >> Jan 25 00:29:37 EST 216.66.11.120
> >
> >Interestingly, looking through my logs for UDP 1434, I saw a sequential
> >scan of my subnet like so:
> >
> >Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN
>
> I'm not sure that going back that far is going to offer anything
> conclusive, as it could have been any number of scanners looking for
> vulnerabilities.  Looking at my logs back to the 19th, I have isolated hits
> on the 19th and 23rd.  However, they really started to come in force at
> 22:29:39 MDT, two seconds after Clayton's.  My first attempt came from an
> IP owned by Level 3 Comm.
>
> Jan 23 02:43:44 c6509-core 10829487: 47w0d: %SEC-6-IPACCESSLOGP: list 130
> denied udp 192.41.65.170(48962) -> 166.70.10.63(1434), 1 packet
> Jan 24 22:29:39 c6509-core 10966964: 47w1d: %SEC-6-IPACCESSLOGP: list 130
> denied udp 65.57.250.28(1210) -> 204.228.150.9(1434), 1 packet
> Jan 24 22:29:44 border 7577864: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
> udp 129.219.122.204(1170) -> 204.228.132.100(1434), 1 packet
> Jan 24 22:29:50 border 7577865: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
> udp 212.67.198.3(1035) -> 166.70.22.47(1434), 1 packet
> Jan 24 22:29:52 xmission-paix 425068: 7w0d: %SEC-6-IPACCESSLOGP: list 100
> denied udp 61.103.121.140(3546) -> 166.70.22.87(1434), 1 packet
> Jan 24 22:29:52 border 7577868: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
> udp 65.57.250.28(1210) -> 204.228.132.18(1434), 1 packet
> Jan 24 22:29:55 c6509-core 10966977: 47w1d: %SEC-6-IPACCESSLOGP: list 130
> denied udp 61.103.121.140(3546) -> 166.70.10.8(1434), 1 packet
> Jan 24 22:29:57 c6509-core 10966979: 47w1d: %SEC-6-IPACCESSLOGP: list 130
> denied udp 12.24.139.231(3315) -> 204.228.140.81(1434), 1 packet
> Jan 24 22:29:58 c6509-core 10966980: 47w1d: %SEC-6-IPACCESSLOGP: list 130
> denied udp 140.115.113.252(3780) -> 207.135.133.228(1434), 1 packet
> Jan 24 22:29:59 c6509-core 10966981: 47w1d: %SEC-6-IPACCESSLOGP: list 130
> denied udp 17.193.12.215(3117) -> 207.135.155.209(1434), 1 packet
> Jan 24 22:30:00 border 7577873: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied
> udp 209.15.147.225(4543) -> 204.228.133.186(1434), 1 packet
>

-- Alex Rubenstein, AR97, K2AHR, alex at nac.net, latency, Al Reuben --
--    Net Access Corporation, 800-NET-ME-36, http://www.nac.net   --





More information about the NANOG mailing list