Security Incidents mailing list archives
attack
From: Tommy Axelsson <toaxe () THALAMUS SE>
Date: Thu, 7 Sep 2000 08:19:40 +0200
Hello A couple of days ago we had an incident that forced us to reboot our server that also works as a gateway. We are running Linux 6.2 and are using ip-masquerading and squid. First we had an unusual amount of icmp echo requests. Then there was a lot of udp datagrams of which only a few are shown below. The first batch of packets all came from dial-up connections. The second batch mostly came from adresses in Korea. Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from cx159639-a.irvn1.occa.home.com:13139 (32 data bytes) Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-216.jewel-puffer.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-171.imperator-angel.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from lph2-2ac.twcny.rr.com:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from pec-52-211.tnt1.b2.uunet.de:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-51.lemonpeel-angel.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from nas-33-196.stockton.navipath.net:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from 223-ALIC-X8.libre.retevision.es:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from user35-67.jakinternet.co.uk:13139 (32 data bytes) Sep 3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-250.blue-streak-damsel.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from sy-as-08-167.free.net.au:13139 (32 data bytes) Sep 3 13:09:20 gw iplog[3265]: UDP: dgram to gw:port 13139 from stargate238-55.salzburg-online.at:13139 (32 data bytes) Sep 3 16:50:08 gw iplog[6019]: UDP: dgram to gw:port 28800 from ip238.kjnxr3.ras.tele.dk:28800 (4 data bytes) Sep 3 16:51:02 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.169.161.39:28800 (4 data bytes) Sep 3 16:51:04 gw iplog[6019]: UDP: dgram to gw:port 28800 from s210-219-151-19.thrunet.ne.kr:28800 (4 data bytes) Sep 3 16:51:06 gw iplog[6019]: UDP: dgram to gw:port 28800 from s210-205-134-190.thrunet.ne.kr:28800 (4 data bytes) Sep 3 16:51:10 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.110.18.217:28800 (4 data bytes) Sep 3 16:51:15 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.38.104.212:28800 (4 data bytes) Sep 3 16:51:27 gw iplog[6019]: UDP: dgram to gw:port 28800 from 210.182.122.45:28800 (4 data bytes) Sep 3 16:51:29 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.58.34.139:28800 (4 data bytes) Sep 3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from 210.207.24.168:28800 (4 data bytes) Sep 3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from cr357836-a.flfrd1.on.wave.home.com:28800 (4 data bytes) Sep 3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.200.19.78:28800 (4 data bytes) Sep 3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from ip66.portland8.or.pub-ip.psi.net:28800 (4 data bytes) Sep 3 16:51:38 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.118.14.251:28800 (4 data bytes) Sep 3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from 210.113.82.165:28800 (4 data bytes) Sep 3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.176.7.151:28800 (4 data bytes) Anyone who knows what this could be? Regards Tommy Axelsson
Current thread:
- attack Tommy Axelsson (Sep 07)
- Re: attack Randy Mclean (Sep 07)
- Re: attack Keith R. Jarvis (Sep 07)
- Re: attack Terry Bunch (Sep 07)