Re: IP 1.2.3.4

From: Joshua Fritsch (joshua.fritschat_private)
Date: Mon Apr 30 2001 - 11:38:04 PDT

Next message: Bryan Andersen: "Re: slow scans to random IPs on port 53 (and other ports0"

Previous message: Mark Challender: "My Mysterious Message"
Maybe in reply to: Brian Kraman: "IP 1.2.3.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I got hit on the 27th around 2AM.

However, about an hour prior to that I got a back orifice "info" query from
a RoadRunner (rr.com) address, which leads me to believe they forgot to mask
themselves on the first run.  Logs follow.

-J

#############################################

[**] IDS399 - BackOrifice1-info [**]
04/27-00:43:39.769935 24.92.246.190:3875 -> X.X.X.X:31337
UDP TTL:15 TOS:0x0 ID:8763 IpLen:20 DgmLen:46
Len: 26

[**] IDS188/trojan-probe-back-orifice [**]
04/27-01:58:57.786281 1.2.3.4:1024 -> X.X.X.X:31337
UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
Len: 59

[**] IDS188/trojan-probe-back-orifice [**]
04/27-01:58:57.786968 1.2.3.4:1024 -> X.X.X.X:31337
UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
Len: 59

[**] IDS188/trojan-probe-back-orifice [**]
04/27-01:58:57.787917 1.2.3.4:1024 -> X.X.X.X:31337
UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79
Len: 59

[**] IDS188/trojan-probe-back-orifice [**]
04/27-02:21:41.751641 1.2.3.4:1024 -> X.X.X.X:31337
UDP TTL:110 TOS:0x0 ID:3482 IpLen:20 DgmLen:79
Len: 59

> -----Original Message-----
> From: John [mailto:johnsat_private]
> Sent: Sunday, April 29, 2001 10:35 AM
> To: INCIDENTSat_private
> Subject: Re: IP 1.2.3.4
> Importance: High
>
>
> Yes, I got the same probe as you described. Below is an IPCHAIN log.
> Obviously a forged packet. If you have anymore information about this
> let me know.
>
> Apr 28 06:05:56 nbs kernel: Packet log: input DENY eth0 PROTO=17
> 1.2.3.4:1024 24.28.27.248:31337 L=81 S=0x00 I=49120 F=0x0000
> T=118 (#16)
>
> Brian Kraman wrote:
> >
> > (1)   Did anyone else get a scan on Port 31337 from IP
> > 1.2.3.4 about 03:26:51CT 4/28/01?
> >
> > (2)   Is there Windows based 98/95 packet sniffers
> > that would yield any evidence of the originating IP?
> >
> > (3)   Also, has anyone else gotten scanned from the
> > elementary school in S. Korea?  I believe I saw
> > someone write to the list.
> >
> > Thanks,
> > Brian
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
>
> --
> The events which transpired five thousand years ago;
> Five years ago or five minutes ago, have determined
> what will happen five minutes from now; five years
> From now or five thousand years from now.
> All history is a current event.
> - Dr John Henrik Clake -
>

Next message: Bryan Andersen: "Re: slow scans to random IPs on port 53 (and other ports0"
Previous message: Mark Challender: "My Mysterious Message"
Maybe in reply to: Brian Kraman: "IP 1.2.3.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 01 2001 - 07:29:25 PDT