Tracing where it started
Brian Coyle
brian at linuxwidows.com
Sun Jan 26 01:52:30 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 25 January 2003 17:32, Travis Pugh wrote:
[snip]
> Ditto on the sequential scan well before the actual action, except
> that mine came on Jan. 19th:
>
> Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
I have a similar packet (but only one) from the same host (time is ntp sync'd
EST).
Jan 20 12:55:47 firewall kernel: Packet log: input - ppp0 PROTO=17
67.8.33.179:1 65.83.153.253:1434 L=29 S=0x00 I=20300 F=0x0000 T=110 (#23)
> The scan went across several subnets I manage inside 209.67.0.0
> serially. My sources were all from 67.8.33.179, all source port 1.
> The actual worm propagation began to hit my logs at 00:28:16 EST Jan
> 25.
>
My first worm packet-
Jan 25 00:32:52 firewall kernel: Packet log: input - ppp0 PROTO=17
131.128.163.118:1631 65.83.153.253:1434 L=404 S=0x00 I=2610 F=0x0000 T=113
(#23)
and continued until
Jan 25 11:48:44 firewall kernel: Packet log: input - ppp0 PROTO=17
151.99.167.133:30725 65.83.153.253:1434 L=404 S=0x00 I=2 F=0x0000 T=111 (#23)
when BS.N apparently shutdown 1434.
- --
Redundancy? You can say that again!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php
iD8DBQE+Mz9gER3MuHUncBsRAuG3AJ0Xzd+QiDeX6LKHX4frfRF40xJK8gCfUgXw
g7uoFXH2N72uwLudo2OuvpI=
=Kw/8
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list