Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Modap Worm Infection and Subsequent Scanning

From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Wed, 25 Sep 2002 23:06:19 -0500 (CDT)
A pattern of UDP packets, with incrementing destination ports in the
range 33434-33523, is almost assuredly a traceroute initiated by
host x.y.z.w . If you want to confirm it, compare TTL values of
the packets in question: they should increment by 1 with each
successive UDP port.

Every standard traceroute I've seen, though, has sent three packets
for each (TTL value/UDP destination port) pair. Do I understand
correctly that you only saw one per?

        -g

On 25 Sep 2002, Gordon Chamberlin wrote:


... There was one very odd scan that has me concerned.

The firewall logged packets going from a different server, not the
infected one, to 212.82.211.42:

Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0
SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664
PROTO=UDP SPT=1370 DPT=33501 LEN=18

There are eight of these messages with DPT proceeding sequential from
33501 to 33508, inclusive, within 30 seconds.

Questions:
Was this other host infected with something?  I have searched it but
been unable to find any traces of hacking.


Assuming w.x.y.z hasn't been cracked, how did someone convince my server
to try to contact 212.82.211.42?


Any other insight or advice?


Thanks.
 -Gordon



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: