Educause Security Discussion mailing list archives
Re: Any ideas?
From: Paul Dokas <dokas () CS UMN EDU>
Date: Mon, 19 Jan 2004 23:12:32 -0600
On Mon, 19 Jan 2004 22:20:04 -0600, Paul Dokas <dokas () CS UMN EDU> wrote:
On Mon, 19 Jan 2004 16:27:15 -0500, "Piscitello, Frank" <frank () WCUPA EDU> wrote:I have what I'm assuming is a worm/scanner that is attempting to connect to 68.202.199.235 on port 6667. The mystery is that the source IP seems to be every address on my one student subnet. The IP packet is 60bytes and the Frame is 74 bytes. There is no actual data. Any ideas? -FrankSpoofed SYN flood. I know because I've got one in my dorms that's attacking random cable modems even as I type this. I also had a large outbound SYN flood against 68.202.199.235 earlier tonight. I'm still attempting to track down the offending host on my network. Paul
Following up my own email. I found the machine that was the source of about 6 hours worth of SYN floods tonight. Here's an NMAP: (The 65526 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 559/tcp open teedtap 1025/tcp open msrpc Microsoft Windows msrpc 5000/tcp open upnp Microsoft Windows UPnP 13614/tcp open unknown Device type: general purpose Running: Microsoft Windows 95/98/ME|NT/2K/XP OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP Neither 559/TCP or 13614/TCP responded in any appreciable way when poked. To find this machine, I had to resort to downing each IP address on the subnet and checking to see if the traffic went away. I can not find any obvious method of communication that this host might have been involved in that triggered the DoS attacks. The only guess that I've got at this time is a bunch of inbound SYN packets to 1286/TCP on this machine and corresponding RST packets (possibly a heartbeat?) Paul -- Paul Dokas dokas () cs umn edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Any ideas? Piscitello, Frank (Jan 19)
- <Possible follow-ups>
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Christopher Condie (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Matthew Keller (Jan 19)
- Re: Any ideas? Clyde Hoadley (Jan 19)
- Re: Any ideas? Piscitello, Frank (Jan 19)
- Re: Any ideas? Cam Beasley, ISO (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)
- Re: Any ideas? Paul Dokas (Jan 19)