Security Incidents mailing list archives

Re: attack

From: Randy Mclean <rmclean () NATDOOR COM>
Date: Thu, 7 Sep 2000 13:42:07 -0500

Well I don't recognize the attack, but it looks like they spoofed most the
addresses (much like decoy feature of nmap). I say this because what are
the chances of 4 different hosts that have the same source and destination
port making requests within seconds of each other. Normally(but not always)
in a decoy scan one of the host name will be the correct attacking host,
but it not easy to find out real host from the decoys. I'm not sure if this
message will help you much, but that my 2 cents worth.


At 08:19 AM 9/7/2000 +0200, Tommy Axelsson wrote:

Hello

A couple of days ago we had an incident that forced us to reboot our server
that also works as a gateway.
We are running Linux 6.2 and are using ip-masquerading and squid.
First we had an unusual amount of icmp echo requests. Then there was a lot
of udp datagrams of which only a few are shown below.
The first batch of packets all came from dial-up connections. The second
batch mostly came from adresses in Korea.

Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
cx159639-a.irvn1.occa.home.com:13139 (32 data bytes)
Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-216.jewel-puffer.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-171.imperator-angel.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
lph2-2ac.twcny.rr.com:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
pec-52-211.tnt1.b2.uunet.de:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-51.lemonpeel-angel.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
nas-33-196.stockton.navipath.net:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
223-ALIC-X8.libre.retevision.es:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
user35-67.jakinternet.co.uk:13139 (32 data bytes)
Sep  3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-250.blue-streak-damsel.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
sy-as-08-167.free.net.au:13139 (32 data bytes)
Sep  3 13:09:20 gw iplog[3265]: UDP: dgram to gw:port 13139 from
stargate238-55.salzburg-online.at:13139 (32 data bytes)

Sep  3 16:50:08 gw iplog[6019]: UDP: dgram to gw:port 28800 from
ip238.kjnxr3.ras.tele.dk:28800 (4 data bytes)
Sep  3 16:51:02 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.169.161.39:28800 (4 data bytes)
Sep  3 16:51:04 gw iplog[6019]: UDP: dgram to gw:port 28800 from
s210-219-151-19.thrunet.ne.kr:28800 (4 data bytes)
Sep  3 16:51:06 gw iplog[6019]: UDP: dgram to gw:port 28800 from
s210-205-134-190.thrunet.ne.kr:28800 (4 data bytes)
Sep  3 16:51:10 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.110.18.217:28800 (4 data bytes)
Sep  3 16:51:15 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.38.104.212:28800 (4 data bytes)
Sep  3 16:51:27 gw iplog[6019]: UDP: dgram to gw:port 28800 from
210.182.122.45:28800 (4 data bytes)
Sep  3 16:51:29 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.58.34.139:28800 (4 data bytes)
Sep  3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
210.207.24.168:28800 (4 data bytes)
Sep  3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
cr357836-a.flfrd1.on.wave.home.com:28800 (4 data bytes)
Sep  3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.200.19.78:28800 (4 data bytes)
Sep  3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
ip66.portland8.or.pub-ip.psi.net:28800 (4 data bytes)
Sep  3 16:51:38 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.118.14.251:28800 (4 data bytes)
Sep  3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
210.113.82.165:28800 (4 data bytes)
Sep  3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.176.7.151:28800 (4 data bytes)

Anyone who knows what this could be?

Regards

Tommy Axelsson


--
Randy Mclean
Security/Network Administrator
rmclean () natdoor com

Current thread:

attack Tommy Axelsson (Sep 07)
- Re: attack Randy Mclean (Sep 07)
- Re: attack Keith R. Jarvis (Sep 07)
- Re: attack Terry Bunch (Sep 07)