Hello there, A few interesting things from over the weekend... First, scan for port 88/udp - Kerberos... Notice a portion of the payload: " 011ba506" That's almost the IP that is being scanned, thought the first octet is completely off and the last octet is off by one, but nonetheless 01 1b a5 06 = 1.27.165.6 The destination IP = x.27.165.7 and in the second example, 01 1b 15 0e= 1.27.165.14 The destination IP = x.27.165.15 A little strange to say the least... 06/10-07:41:09.273680 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x45 208.191.206.41:1130 -> MY.NET.165.7:88 UDP TTL:49 TOS:0x0 ID:52865 IpLen:20 DgmLen:55 Len: 35 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 20 30 31 31 62 61 35 30 36 0D 0A 011ba506.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/10-07:41:09.326709 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x45 208.191.206.41:1130 -> MY.NET.165.15:88 UDP TTL:49 TOS:0x0 ID:52873 IpLen:20 DgmLen:55 Len: 35 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 20 30 31 31 62 61 35 30 65 0D 0A 011ba50e.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ And also: Date Time Proto Source Destination Action 2001-06-10 20:39:51 tcp 207.232.9.204:3724 MY.NET.94.213:5555 drop 2001-06-10 20:39:51 tcp 207.232.9.204:3722 MY.NET.94.211:5555 drop 2001-06-10 20:39:51 tcp 207.232.9.204:3721 MY.NET.94.210:5555 drop 2001-06-10 20:39:51 tcp 207.232.9.204:3723 MY.NET.94.212:5555 drop Looks like someone looking for ramen worm/knark rootkit combination: http://www.securityfocus.com/archive/75/163619 Later Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 16:41:53 PDT