Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Strange traffic

From: auto230111 () hushmail com
Date: Wed, 5 Sep 2001 17:22:23 -0700
Over the past 2 weeks we've started to recieved some pretty
strange traffic which has been stopped at our border. The
$TARGET host in each case is the same.

Q. Has anyone seen anything like this? Any thoughts??

thx.

Aug 22 16:42:04 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 22 16:42:06 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 22 16:42:15 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:20 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:25 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:30 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:35 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 25 14:38:33 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 25 14:38:34 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 25 14:38:44 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 25 14:38:49 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 25 14:38:54 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 25 14:38:59 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 25 14:39:04 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 27 13:59:02 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 27 13:59:03 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 27 13:59:13 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:18 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:23 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:28 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:33 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 29 14:01:46 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 29 14:01:47 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 29 14:01:57 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:03 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:07 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:12 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:17 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 31 14:57:16 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 31 14:57:16 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 31 14:57:26 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:31 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:36 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:41 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:46 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Sep  1 10:45:39 8/0/icmp $TARGET <- 216.34.77.12 98 
Sep  1 10:45:40 8/0/icmp $TARGET <- 216.34.77.12 98 
Sep  1 10:45:50 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  1 10:45:55 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  1 10:46:00 tcp $TARGET;53 <- 216.34.77.12;1024 54 syn
Sep  1 10:46:05 tcp $TARGET;123 <- 216.34.77.12;1024 54 syn
Sep  1 10:46:10 tcp $TARGET;113 <- 216.34.77.12;1024 54 syn

Sep  2 16:45:29 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  2 16:45:30 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  2 16:45:40 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  2 16:45:45 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  2 16:45:50 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Sep  2 16:45:55 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Sep  2 16:46:00 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Sep  3 12:49:38 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  3 12:49:39 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  3 12:49:49 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  3 12:49:54 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  3 12:49:58 tcp $TARGET;53 <- 216.34.77.12;1024 54 syn
Sep  3 12:50:03 tcp $TARGET;123 <- 216.34.77.12;1024 54 syn
Sep  3 12:50:08 tcp $TARGET;113 <- 216.34.77.12;1024 54 syn

Sep  4 19:08:58 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  4 19:08:59 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  4 19:09:09 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:14 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:19 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:24 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:29 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn

Sep  5 15:28:51 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  5 15:28:52 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  5 15:29:02 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:07 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:12 tcp $TARGET;53 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:17 tcp $TARGET;123 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:22 tcp $TARGET;113 <- 216.34.77.12;1024 54 syn
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: