Curious tidbits...

["Portnoy, Gary" <gportnoy () belenosinc com>]

Hello there,

A few interesting things from over the weekend...  
First, scan for port 88/udp - Kerberos...  Notice a portion of the payload:
" 011ba506"  That's almost the IP that is being scanned, thought the first
octet is completely off and the last octet is off by one, but nonetheless 01
1b a5 06 = 1.27.165.6  The destination IP = x.27.165.7 and in the second
example, 01 1b 15 0e= 1.27.165.14 The destination IP = x.27.165.15  A little
strange to say the least...

06/10-07:41:09.273680 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x45
208.191.206.41:1130 -> MY.NET.165.7:88 UDP TTL:49 TOS:0x0 ID:52865 IpLen:20
DgmLen:55
Len: 35
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
20 30 31 31 62 61 35 30 36 0D 0A                  011ba506..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/10-07:41:09.326709 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x45
208.191.206.41:1130 -> MY.NET.165.15:88 UDP TTL:49 TOS:0x0 ID:52873 IpLen:20
DgmLen:55
Len: 35
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70  abcdefghijklmnop
20 30 31 31 62 61 35 30 65 0D 0A                  011ba50e..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

And also:

Date            Time            Proto Source                    Destination
Action  
2001-06-10      20:39:51        tcp     207.232.9.204:3724
MY.NET.94.213:5555      drop
2001-06-10      20:39:51        tcp     207.232.9.204:3722
MY.NET.94.211:5555      drop
2001-06-10      20:39:51        tcp     207.232.9.204:3721
MY.NET.94.210:5555      drop
2001-06-10      20:39:51        tcp     207.232.9.204:3723
MY.NET.94.212:5555      drop

Looks like someone looking for ramen worm/knark rootkit combination:
http://www.securityfocus.com/archive/75/163619

Later

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C