Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible variant of Blaster/Nachi/Welchia? (full sample)

From: Jeff Kell <jeff-kell () utc edu>
Date: Fri, 26 Sep 2003 14:00:11 -0400
The infected machines are trying to sync with a spoofed address, then they start pinging randomly and slowly to random addresses within the same first octet. Here's a complete sample:
> Sep 26 12:46:00.779 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.155.144.218(123) -> 207.46.130.100(123), 1 packet > Sep 26 12:46:39.160 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.132.114.112 (0/0), 1 packet > Sep 26 12:47:34.285 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.162.138.194 (0/0), 1 packet > Sep 26 12:47:44.345 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.156.165.167 (0/0), 1 packet > Sep 26 12:48:30.378 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.126.115 (0/0), 1 packet > Sep 26 12:48:37.930 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.98.253 (0/0), 1 packet > Sep 26 12:49:54.944 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.153.205.223 (0/0), 1 packet > Sep 26 12:51:40.262 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.203.128.195 (0/0), 1 packet > Sep 26 12:52:52.283 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.135.71 (0/0), 1 packet > Sep 26 12:53:43.748 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.158.89.195 (0/0), 1 packet > Sep 26 12:54:13.885 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.156.18.248 (0/0), 1 packet > Sep 26 12:55:12.830 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.158.109.44 (0/0), 1 packet > Sep 26 12:58:02.602 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.154.168.139 (0/0), 1 packet > Sep 26 12:58:12.202 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.157.29.197 (0/0), 1 packet > Sep 26 12:59:34.763 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.156.229.95 (0/0), 1 packet > Sep 26 13:01:39.062 EDT: %SEC-6-IPACCESSLOGDP: list netcop denied icmp 172.155.144.218 -> 172.153.42.62 (0/0), 1 packet
MAC addresses removed for brevity, but they are the same incoming MAC and interface, and the actual machine IP address was 172.18.113.112.
All I've been able to do thus far is shut down ports. I haven't gotten my hands on an infected one yet for forensics, but we're up to a couple dozen infected ones. There are likely more on campus, but our routers are configured for 'ip unicast reverse-path verify' and spoofed packets would be dropped silently. These came from a 3550 (which due to a bug does not do uRPF) where we had to ACL the ingress to catch spoofs. 

Jeff





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: