nanog mailing list archives
Re: Tracing where it started
From: "Travis Pugh" <tdp () discombobulated net>
Date: Sat, 25 Jan 2003 17:32:17 -0500
According to Clayton Fiske:
Interestingly, looking through my logs for UDP 1434, I saw a
sequential
scan of my subnet like so: Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33
IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.2,1434 PR udp len 20 33
IN
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.3,1434 PR udp len 20 33
IN
All from 206.176.210.74, all source port 53 (probably trying to use people's DNS firewall rules to get around being filtered). After that, I saw nothing until the storm started last night from
many
different source IPs, which was at Jan 24 21:31:53 PST for me.
Ditto on the sequential scan well before the actual action, except that mine came on Jan. 19th: Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx ... ... The scan went across several subnets I manage inside 209.67.0.0 serially. My sources were all from 67.8.33.179, all source port 1. The actual worm propagation began to hit my logs at 00:28:16 EST Jan 25. Cheers. -travis
Current thread:
- Tracing where it started Phil Rosenthal (Jan 25)
- Re: Tracing where it started Clayton Fiske (Jan 25)
- Re: Tracing where it started Pete Ashdown (Jan 25)
- Re: Tracing where it started Alex Rubenstein (Jan 25)
- Message not available
- Re: Tracing where it started Daniel Senie (Jan 25)
- Re: Tracing where it started Pete Ashdown (Jan 25)
- Re: Tracing where it started Travis Pugh (Jan 25)
- Re: Tracing where it started Johannes Ullrich (Jan 25)
- Re: Tracing where it started Alex Rubenstein (Jan 25)
- Re: Tracing where it started Mike Leber (Jan 25)
- Re: Tracing where it started Scott Granados (Jan 25)
- Re: Tracing where it started Johannes Ullrich (Jan 26)
- mSQL Attack/Peering/OBGP/Optical exchange David Diaz (Jan 26)
- Re: mSQL Attack/Peering/OBGP/Optical exchange Rubens Kuhl Jr. (Jan 26)
- Re: mSQL Attack/Peering/OBGP/Optical exchange Kurt Erik Lindqvist (Jan 30)
- Re: mSQL Attack/Peering/OBGP/Optical exchange Vijay Gill (Jan 30)
- Re: mSQL Attack/Peering/OBGP/Optical exchange David Diaz (Jan 30)
- Re: Tracing where it started Clayton Fiske (Jan 25)