Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

strange log

From: john.huck () hushmail com
Date: Fri, 16 Nov 2001 12:09:01 -0800

hi,

Long time reader, first time poster...

Iv'e been asked to review some logs for a client, and I've discovered some strange entries that I've never seen before.
I've searched on all places I know related to security and log analyzis but found nothing...

The logs i got to analyze are from august 2001, and before some CodeRed entry I've a connection attempt on TCP port 
1032...
Here is a sample :

xxx.xxx.xxx.xxx : firewall that logged the entries
yyy.yyy.yyy.yyy : targetted machines
aaa.aaa.aaa.aaa : first CodeRed infected machine aiming the client mavhine
bbb.bbb.bbb.bbb : second CodeRed infected machine aiming the cllient machine



3Aug2001        18:37:25        N1004   xxx.xxx.xxx.xxx drop    1032    aaa.aaa.aaa.aaa yyy.yyy.yyy.yyy tcp     3       
3463     len 48
3Aug2001        18:37:28        daemon  xxx.xxx.xxx.xxx reject  http    aaa.aaa.aaa.aaa yyy.yyy.yyy.yyy tcp     3       
3463     reason Content Security -
access denied.  resource 
http://yyy.yyy.yyy.yyy:80/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

5Aug2001         0:01:44        N1004   xxx.xxx.xxx.xxx drop    1032    bbb.bbb.bbb.bbb yyy.yyy.yyy.yyy tcp     3       
3120     len 48
5Aug2001         0:01:49        daemon  xxx.xxx.xxx.xxx reject  http    bbb.bbb.bbb.bbb yyy.yyy.yyy.yyy tcp     3       
3120     reason Content Security -
 access denied.  resource 
http://yyy.yyy.yyy.yyy:80/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%
u00=a

I've asked the owner of the targetted machine and none of his machines seem to use the port TCP 1032 for its "normal" 
behavior (daemons or services).
I've checked aaa.aaa.aaa.aaa n' bbb.bbb.bbb.bbb adresses and they come from Internet provider.

At a first glance, i'd say the attacking machines could have been trojanized, but why the targetted systematically get 
such 1032 connection attempt ?
To be honnest I got no idea what it could be...

If someone could give me any clue or a piece of help, that would be pretty cool...


regards,

john Huck

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: