Tracing where it started
George Bakos
gbakos at ists.dartmouth.edu
Mon Jan 27 09:46:29 UTC 2003
Graphs of our observances are available at:
http://people.ists.dartmouth.edu/~gbakos/sapphire
Here's the earliest port 1434 probe that I find. Localtimes are EST. Pay
no attention to the port 123 business; I like to include ntp with my dumps
to facilitate correlation:
[root at bunta hpot]# tcpslice 1041153985 1041154648 ../tcpdump.1041060689 | tcpdump -ttttnr - port 1434 or port 123 or port 53
12/29/2002 09:26:25.248240 140.162.8.25.123 > 64.222.84.217.123: v4 server strat 2 poll 10 prec -16 (DF) [tos 0x10]
12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain]
And the dump:
12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain]
4500 0021 c8ef 0000 7b11 6d83 d896 9b0b
40de 54d9 0035 059a 000d eeab 0200 0000
00
I ran through packet logs from several networks starting Dec 1. This is
the earliest I can find. As indicated above, there was certainlny no prior
dns request.
Just for poops & snickers, let's have a peek at 216.150.155.11, shall we?
NetRange: 216.150.150.0 - 216.150.157.255
CIDR: 216.150.150.0/23, 216.150.152.0/22, 216.150.156.0/23
NetName: EASYCGI-150-157
NetHandle: NET-216-150-150-0-1
Parent: NET-216-150-128-0-1
NetType: Reassigned
NameServer: NS1.EASY-CGI.COM
NameServer: NS2.EASY-CGI.COM
Comment:
RegDate: 2002-06-19
Updated: 2002-08-08
[gbakos at lt1 gbakos]$ nc 216.150.155.11 80
GET / HTTP/1.0
HTTP/1.0 404 Not Found
Server: Microsoft-IIS/5.0
Date: Mon, 27 Jan 2003 03:38:32 GMT
Content-Type: text/html
Content-Length: 111
Age: 440
X-Cache: HIT from bunta.alpinista.dyndns.org
Connection: close
<html><head><title>Site Not Found</title></head>
<body>No web site is configured at this address.</body></html>
Why doesn't this surprise me? Anyone want to run this guy down and apply
the "sucker rod" section of syslogd(8) ?
On Sun, 26 Jan 2003 09:11:11 -0800
John Sage <jsage at finchhaven.com> wrote:
> Tom et al:
>
> On Sat, Jan 25, 2003 at 09:59:42PM -0500, tom glaab wrote:
> > Johannes Ullrich wrote:
> >
> > >wow... excellent catch. here is some data I have:
> > >
> >
> > Hmmm...
> >
> > I first see 67.8.33.179 on 20 January:
>
> <snippage>
>
> > But found my first (and only, prior to 20 Jan) hits on udp/1434 much
> > earlier:
> >
> > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17
> > 12.10.144.249:53 x.y.z.83:1434 L=33 S=0x00 I=38557 F=0x0000 T=108 (#1303)
> > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17
> > 12.10.144.249:53 x.y.z.84:1434 L=33 S=0x00 I=63999 F=0x0000 T=108 (#1303)
> > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17
> > 12.10.144.249:53 x.y.z.85:1434 L=33 S=0x00 I=12853 F=0x0000 T=108 (#1303)
> > Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17
> > 12.10.144.249:53 x.y.z.86:1434 L=33 S=0x00 I=61180 F=0x0000 T=108 (#1303)
>
> I'm betting the dlen=33 is this:
>
> Generated by ACID v0.9.6b21 on Sun January 26, 2003 08:53:59
> ------------------------------------------------------------------------------
> #(458 - 93) [2002-10-16 13:16:44] UDP inbound to 1434 MS SQL monitor
> IPv4: 217.226.25.204 -> 12.82.130.126
> hlen=5 TOS=0 dlen=33 ID=1541 flags=0 offset=0 TTL=115 chksum=48968
> UDP: port=53 -> dport: 1434 len=13
> Payload: length = 5
>
> 000 : 02 00 00 00 00 .....
> ------------------------------------------------------------------------------
> #(524 - 103) [2002-11-20 01:03:39] UDP inbound to 1434 MS SQL monitor
> IPv4: 80.128.175.135 -> 12.82.141.35
> hlen=5 TOS=0 dlen=33 ID=57947 flags=0 offset=0 TTL=116 chksum=51955
> UDP: port=53 -> dport: 1434 len=13
> Payload: length = 5
>
> 000 : 02 00 00 00 00 .....
> ------------------------------------------------------------------------------
>
> This is all I've got with src port = 53 AND dst port = 1434
>
>
> - John
> --
> Has the preparation
> of your heart been ready?
> Almost, calm down.
>
> PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
--
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos at ists.dartmouth.edu
voice 603-646-0665
fax 603-646-0666
Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
More information about the NANOG
mailing list