Security Incidents mailing list archives

Re: Code red probe followed by udp port 10x

From: Paul Gear <paulgear () bigfoot com>
Date: Thu, 02 Aug 2001 10:47:59 +1000

I've seen quite a few similar probes, but always on 1025.  Previously
i have found information that suggests that this is a Windows NT RPC
service.

My log entries look like this:
Aug  1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17
65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66)

I've only ever had one such probe before, but yesterday i got around
20 total, from diverse networks (home.com, kornet.net, hinet.net,
chinanet.cn.net, etc.).

However, i can't see any direct correlation with Code Red - i got 56
probes from Code Red on 20 July, then nothing until today (2 August,
GMT+1000 timezone) - 24 of them so far.   Is someone perhaps trying to
hide some other probe activity in Code Red's traffic?

Paul
http://paulgear.webhop.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Code red probe followed by udp port 10x Paul Gear (Aug 01)
- <Possible follow-ups>
- Re: Code red probe followed by udp port 10x Paul Gear (Aug 02)
- RE: Code red probe followed by udp port 10x Michael Tucker (Aug 03)