Security Incidents mailing list archives

Strange back-orifice looking scan...

From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 04 Sep 2002 12:08:48 -0400

This popped up on ingress this morning, apparently with forged source addresses (given the timing).  Didn't get a 
packet capture but just 
the signature (we block Back Orifice ports):

Sep  4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packet

Any clues on this one?  Looks new to me...

Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange back-orifice looking scan... Jeff Kell (Sep 04)
- <Possible follow-ups>
- Re: Strange back-orifice looking scan... KoRe MeLtDoWn (Sep 05)
  - Re: Strange back-orifice looking scan... Jeff Kell (Sep 05)
- Re: Strange back-orifice looking scan... Neil Dickey (Sep 05)
  - Re: Strange back-orifice looking scan... Scott Nursten (Sep 11)