RE: Strange network activity

["Dave Paris" <dparis () w3works com>]

> -----Original Message-----
> From: Roach4 [mailto:ml () undergroundportal com]
> Sent: Friday, April 16, 2004 10:39 AM
> To: incidents () securityfocus com
> Subject: Strange network activity
>
>
> Hi,
>
> Yesterday we noticed some strange traffic from some internal machines
> trying to contact Japan IP addresses on the port 54875 like 300 times a
> second. We left the office without worrying too much and we came back this
> morning to see that there was external Japan IP addresses which was
> querying internal machines for the RPC vulnerability.
[...]

"noticed...internal machines trying to contact...like 300 times a second."
"left the office without worrying too much"

Please tell me you left out a line line in your message like "so we
firewalled off the internal machines from contacting (inbound and outbound)
the suspect networks."

If so, please disregard the remainder of this note.

If not...
Pardon me for throwing decorum (and sane-sounding responses) out the window,
but WHAT IN THE HOLY HELL WERE YOU PEOPLE FREAKIN' THINKING WHEN YOU JUST UP
AND LEFT??!!  I mean really... 300 times a second and this didn't set off
any bells in your heads that there just *might* be a wee bit of a problem on
your network?!?

[Shaking my head in disbelief]
-dsp



---------------------------------------------------------------------------
----------------------------------------------------------------------------