Security Incidents mailing list archives

Re: Strange traffic

From: Jens Hektor <hektor () rz rwth-aachen de>
Date: Thu, 06 Sep 2001 08:06:14 +0200

> Over the past 2 weeks we've started to recieved some pretty
> strange traffic which has been stopped at our border. The
> $TARGET host in each case is the same.

Yes, it started back in the beginning of August.

** Aug 3 06:53:24 - Aug 3 06:53:39: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 3 07:07:08 - Aug 3 07:07:23: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 21 08:01:56 - Aug 21 08:02:11: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 21 08:15:17 - Aug 21 08:15:32: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 22 19:16:20 - Aug 22 19:16:35: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 22 19:28:46 - Aug 22 19:29:01: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 24 15:38:47 - Aug 24 15:39:02: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 24 17:00:14 - Aug 24 17:00:29: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 26 14:41:31 - Aug 26 14:41:46: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 26 16:04:13 - Aug 26 16:04:28: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 28 14:28:14 - Aug 28 14:28:29: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 28 15:51:42 - Aug 28 15:51:57: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 30 14:59:12 - Aug 30 14:59:26: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 30 16:23:56 - Aug 30 16:24:11: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 31 12:02:51 - Aug 31 12:03:06: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 1 16:27:09 - Sep 1 16:27:24: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Sep 1 17:52:55 - Sep 1 17:53:10: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Sep 2 13:54:04 - Sep 2 13:54:19: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 3 18:42:23 - Sep 3 18:42:38: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Sep 3 20:09:10 - Sep 3 20:09:25: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Sep 4 16:21:47 - Sep 4 16:22:02: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 4 16:21:47 - Sep 4 16:22:02: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 5 21:27:05 - Sep 5 21:27:20: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Sep 5 22:54:38 - Sep 5 22:54:53: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp


> Q. Has anyone seen anything like this? Any thoughts??

There were some vuln in SSH and AFAIR in XNTP too.

Bye, Jens Hektor

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, network operation & security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 29206, Raum: 2.35


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Strange traffic auto230111 (Sep 05)
- Re: Strange traffic Todd Ransom (Sep 06)
- <Possible follow-ups>
- Re: Strange traffic Jens Hektor (Sep 06)