-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not sure if the two incidents are related. The TTL's for the records are very different. Of course, these could be fake as well. But its a point against them coming from the same source. Also, the two probes test for different versions. (may still be good to let RR know about the first probe however). - --- Johannes Ullrich Join http://www.dshield.org jullrichat_private GPG Key ID: AE692033 Key: http://johannes.homepc.org/pgp.htm - --- On Mon, 30 Apr 2001, Joshua Fritsch wrote: > I got hit on the 27th around 2AM. > > However, about an hour prior to that I got a back orifice "info" query from > a RoadRunner (rr.com) address, which leads me to believe they forgot to mask > themselves on the first run. Logs follow. > > -J > > ############################################# > > [**] IDS399 - BackOrifice1-info [**] > 04/27-00:43:39.769935 24.92.246.190:3875 -> X.X.X.X:31337 > UDP TTL:15 TOS:0x0 ID:8763 IpLen:20 DgmLen:46 > Len: 26 > > [**] IDS188/trojan-probe-back-orifice [**] > 04/27-01:58:57.786281 1.2.3.4:1024 -> X.X.X.X:31337 > UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79 > Len: 59 > > [**] IDS188/trojan-probe-back-orifice [**] > 04/27-01:58:57.786968 1.2.3.4:1024 -> X.X.X.X:31337 > UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79 > Len: 59 > > [**] IDS188/trojan-probe-back-orifice [**] > 04/27-01:58:57.787917 1.2.3.4:1024 -> X.X.X.X:31337 > UDP TTL:110 TOS:0x0 ID:30544 IpLen:20 DgmLen:79 > Len: 59 > > [**] IDS188/trojan-probe-back-orifice [**] > 04/27-02:21:41.751641 1.2.3.4:1024 -> X.X.X.X:31337 > UDP TTL:110 TOS:0x0 ID:3482 IpLen:20 DgmLen:79 > Len: 59 > > > -----Original Message----- > > From: John [mailto:johnsat_private] > > Sent: Sunday, April 29, 2001 10:35 AM > > To: INCIDENTSat_private > > Subject: Re: IP 1.2.3.4 > > Importance: High > > > > > > Yes, I got the same probe as you described. Below is an IPCHAIN log. > > Obviously a forged packet. If you have anymore information about this > > let me know. > > > > Apr 28 06:05:56 nbs kernel: Packet log: input DENY eth0 PROTO=17 > > 1.2.3.4:1024 24.28.27.248:31337 L=81 S=0x00 I=49120 F=0x0000 > > T=118 (#16) > > > > Brian Kraman wrote: > > > > > > (1) Did anyone else get a scan on Port 31337 from IP > > > 1.2.3.4 about 03:26:51CT 4/28/01? > > > > > > (2) Is there Windows based 98/95 packet sniffers > > > that would yield any evidence of the originating IP? > > > > > > (3) Also, has anyone else gotten scanned from the > > > elementary school in S. Korea? I believe I saw > > > someone write to the list. > > > > > > Thanks, > > > Brian > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Yahoo! Auctions - buy the things you want at great prices > > > http://auctions.yahoo.com/ > > > > -- > > The events which transpired five thousand years ago; > > Five years ago or five minutes ago, have determined > > what will happen five minutes from now; five years > > From now or five thousand years from now. > > All history is a current event. > > - Dr John Henrik Clake - > > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQA/AwUBOu7KNFTiIsyuaSAzEQJwMQCgitCLsn50woJfGflD5ErcMlMEQOMAn1Dv EQhq0UWHQJEE0wUzGrPM0FLu =qPLT -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 08:50:14 PDT