Re: IP 1.2.3.4

From: Joshua Fritsch (joshua.fritschat_private)
Date: Mon Apr 30 2001 - 11:38:04 PDT

  • Next message: Bryan Andersen: "Re: slow scans to random IPs on port 53 (and other ports0"

    I got hit on the 27th around 2AM.
    
    However, about an hour prior to that I got a back orifice "info" query from
    a RoadRunner (rr.com) address, which leads me to believe they forgot to mask
    themselves on the first run.  Logs follow.
    
    -J
    
    #############################################
    
    [**] IDS399 - BackOrifice1-info [**]
    04/27-00:43:39.769935 24.92.246.190:3875 -> X.X.X.X:31337
    UDP TTL:15 TOS:0x0 ID:8763 IpLen:20 DgmLen:46
    Len: 26
    
    [**] IDS188/trojan-probe-back-orifice [**]
    04/27-01:58:57.786281 1.2.3.4:1024 -> X.X.X.X:31337
    UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
    Len: 59
    
    [**] IDS188/trojan-probe-back-orifice [**]
    04/27-01:58:57.786968 1.2.3.4:1024 -> X.X.X.X:31337
    UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
    Len: 59
    
    [**] IDS188/trojan-probe-back-orifice [**]
    04/27-01:58:57.787917 1.2.3.4:1024 -> X.X.X.X:31337
    UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
    Len: 59
    
    [**] IDS188/trojan-probe-back-orifice [**]
    04/27-02:21:41.751641 1.2.3.4:1024 -> X.X.X.X:31337
    UDP TTL:110 TOS:0x0 ID:3482 IpLen:20 DgmLen:79
    Len: 59
    
    > -----Original Message-----
    > From: John [mailto:johnsat_private]
    > Sent: Sunday, April 29, 2001 10:35 AM
    > To: INCIDENTSat_private
    > Subject: Re: IP 1.2.3.4
    > Importance: High
    >
    >
    > Yes, I got the same probe as you described. Below is an IPCHAIN log.
    > Obviously a forged packet. If you have anymore information about this
    > let me know.
    >
    > Apr 28 06:05:56 nbs kernel: Packet log: input DENY eth0 PROTO=17
    > 1.2.3.4:1024 24.28.27.248:31337 L=81 S=0x00 I=49120 F=0x0000
    > T=118 (#16)
    >
    > Brian Kraman wrote:
    > >
    > > (1)   Did anyone else get a scan on Port 31337 from IP
    > > 1.2.3.4 about 03:26:51CT 4/28/01?
    > >
    > > (2)   Is there Windows based 98/95 packet sniffers
    > > that would yield any evidence of the originating IP?
    > >
    > > (3)   Also, has anyone else gotten scanned from the
    > > elementary school in S. Korea?  I believe I saw
    > > someone write to the list.
    > >
    > > Thanks,
    > > Brian
    > >
    > > __________________________________________________
    > > Do You Yahoo!?
    > > Yahoo! Auctions - buy the things you want at great prices
    > > http://auctions.yahoo.com/
    >
    > --
    > The events which transpired five thousand years ago;
    > Five years ago or five minutes ago, have determined
    > what will happen five minutes from now; five years
    > From now or five thousand years from now.
    > All history is a current event.
    > - Dr John Henrik Clake -
    >
    



    This archive was generated by hypermail 2b30 : Tue May 01 2001 - 07:29:25 PDT