Security Incidents mailing list archives
Re: traceroute ICMP packets
From: lurker () ITIS COM (M J)
Date: Tue, 4 Jan 2000 19:25:42 -0000
Greetings. Recently I have noticed a great deal of activity similar to this as well from a number of sources. Here's some snips from my PIX log. Anyone have ideas what they may be trying accomplish? (Identify routers?) What makes me nervous is that they somehow found the address to my internal interface and this is where they are focusing their efforts. Jan 3 03:12:57 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33474 Jan 3 03:12:59 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33469 Jan 3 03:13:02 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33475 Jan 3 03:13:04 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33470 Jan 3 03:13:07 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33476 Jan 3 03:13:09 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33471 Here's some of the addresses constantly banging away at us. 198.170.164.3, 206.86.106.3, 212.36.169.97, 193.173.76.2, 195.54.95.3, 168.143.224.18, 195.8.99.162, 194.133.52.3, 212.23.226.3, 212.121.130.40, 193.127.46.2, 193.65.199.3, 203.79.87.3 - and there's plenty more where that came from if anyone is interested. Again - if anyone has any insight as to what may be going on please let me know. Thank you all for your time. -Matthew Hello, My Linux box has recently logged some traceroute ICMP packets. Of course, I did not traceroute these hosts. (Packets from hosts between my computer and the source IPs are missing as well.) Do you have any idea what this can be? Here are the (ipchains) logs: (x.y.u.v is the IP address of myhost) Jan 3 15:29:54 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1 167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21545 F=0x0000 T=247 Jan 3 15:30:07 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1 212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3106 F=0x0000 T=237 Jan 3 15:30:16 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1 212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3124 F=0x0000 T=237 Jan 3 15:30:23 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1 167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21986 F=0x0000 T=247 ... (more packets from these hosts with similar delays between them) Laszlo
Current thread:
- Ports 25092 / 20869, (continued)
- Ports 25092 / 20869 Vanja Hrustic (Jan 04)
- Re: Ports 25092 / 20869 Robert Graham (Jan 04)
- port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
- Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
- Re: port 119 R a v e N (Jan 05)
- Re: port 119 Scott Laws (Jan 04)
- Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
- Computer Forsenics System Administrator (Jan 03)
- Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
- traceroute ICMP packets Laszlo Fabian (Jan 04)
- Re: traceroute ICMP packets M J (Jan 04)
- Re: traceroute ICMP packets Larry Canup (Jan 18)
- Re: ICMP time exceed in-transit packets Paul Cardon (Jan 02)
- Re: Port Scan on 371... Etaoin Shrdlu (Jan 02)
- Re: Port Scan on 371... Christopher Wilson (Jan 02)
- correlation between porscans and local activity Thomas Molina (Jan 02)
- Re: correlation between porscans and local activity Sean Sosik-Hamor (Jan 03)
- ADMROCKS McNab, Chris (Jan 03)