Security Incidents mailing list archives
Re: attack
From: Randy Mclean <rmclean () NATDOOR COM>
Date: Thu, 7 Sep 2000 13:42:07 -0500
Well I don't recognize the attack, but it looks like they spoofed most the addresses (much like decoy feature of nmap). I say this because what are the chances of 4 different hosts that have the same source and destination port making requests within seconds of each other. Normally(but not always) in a decoy scan one of the host name will be the correct attacking host, but it not easy to find out real host from the decoys. I'm not sure if this message will help you much, but that my 2 cents worth. At 08:19 AM 9/7/2000 +0200, Tommy Axelsson wrote:
Hello A couple of days ago we had an incident that forced us to reboot our server that also works as a gateway. We are running Linux 6.2 and are using ip-masquerading and squid. First we had an unusual amount of icmp echo requests. Then there was a lot of udp datagrams of which only a few are shown below. The first batch of packets all came from dial-up connections. The second batch mostly came from adresses in Korea. Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from cx159639-a.irvn1.occa.home.com:13139 (32 data bytes) Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-216.jewel-puffer.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-171.imperator-angel.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from lph2-2ac.twcny.rr.com:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from pec-52-211.tnt1.b2.uunet.de:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-51.lemonpeel-angel.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from nas-33-196.stockton.navipath.net:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from 223-ALIC-X8.libre.retevision.es:13139 (32 data bytes) Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from user35-67.jakinternet.co.uk:13139 (32 data bytes) Sep 3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from modem-250.blue-streak-damsel.dialup.pol.co.uk:13139 (32 data bytes) Sep 3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from sy-as-08-167.free.net.au:13139 (32 data bytes) Sep 3 13:09:20 gw iplog[3265]: UDP: dgram to gw:port 13139 from stargate238-55.salzburg-online.at:13139 (32 data bytes) Sep 3 16:50:08 gw iplog[6019]: UDP: dgram to gw:port 28800 from ip238.kjnxr3.ras.tele.dk:28800 (4 data bytes) Sep 3 16:51:02 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.169.161.39:28800 (4 data bytes) Sep 3 16:51:04 gw iplog[6019]: UDP: dgram to gw:port 28800 from s210-219-151-19.thrunet.ne.kr:28800 (4 data bytes) Sep 3 16:51:06 gw iplog[6019]: UDP: dgram to gw:port 28800 from s210-205-134-190.thrunet.ne.kr:28800 (4 data bytes) Sep 3 16:51:10 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.110.18.217:28800 (4 data bytes) Sep 3 16:51:15 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.38.104.212:28800 (4 data bytes) Sep 3 16:51:27 gw iplog[6019]: UDP: dgram to gw:port 28800 from 210.182.122.45:28800 (4 data bytes) Sep 3 16:51:29 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.58.34.139:28800 (4 data bytes) Sep 3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from 210.207.24.168:28800 (4 data bytes) Sep 3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from cr357836-a.flfrd1.on.wave.home.com:28800 (4 data bytes) Sep 3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.200.19.78:28800 (4 data bytes) Sep 3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from ip66.portland8.or.pub-ip.psi.net:28800 (4 data bytes) Sep 3 16:51:38 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.118.14.251:28800 (4 data bytes) Sep 3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from 210.113.82.165:28800 (4 data bytes) Sep 3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from 211.176.7.151:28800 (4 data bytes) Anyone who knows what this could be? Regards Tommy Axelsson
-- Randy Mclean Security/Network Administrator rmclean () natdoor com
Current thread:
- attack Tommy Axelsson (Sep 07)
- Re: attack Randy Mclean (Sep 07)
- Re: attack Keith R. Jarvis (Sep 07)
- Re: attack Terry Bunch (Sep 07)