Strange traffic

From: auto230111at_private
Date: Wed Sep 05 2001 - 17:22:23 PDT

Next message: Jens Hektor: "Re: Strange traffic"

Previous message: Russell Fulton: "Code red variants?"
Next in thread: Jens Hektor: "Re: Strange traffic"
Reply: Jens Hektor: "Re: Strange traffic"
Reply: Todd Ransom: "Re: Strange traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Over the past 2 weeks we've started to recieved some pretty
strange traffic which has been stopped at our border. The
$TARGET host in each case is the same.

Q. Has anyone seen anything like this? Any thoughts??

thx.

Aug 22 16:42:04 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 22 16:42:06 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 22 16:42:15 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:20 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:25 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:30 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 22 16:42:35 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 25 14:38:33 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 25 14:38:34 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 25 14:38:44 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 25 14:38:49 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 25 14:38:54 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 25 14:38:59 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 25 14:39:04 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 27 13:59:02 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 27 13:59:03 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 27 13:59:13 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:18 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:23 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:28 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 27 13:59:33 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 29 14:01:46 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 29 14:01:47 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 29 14:01:57 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:03 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:07 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:12 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 29 14:02:17 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Aug 31 14:57:16 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 31 14:57:16 8/0/icmp $TARGET <- 204.71.128.148 98 
Aug 31 14:57:26 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:31 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:36 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:41 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Aug 31 14:57:46 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Sep  1 10:45:39 8/0/icmp $TARGET <- 216.34.77.12 98 
Sep  1 10:45:40 8/0/icmp $TARGET <- 216.34.77.12 98 
Sep  1 10:45:50 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  1 10:45:55 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  1 10:46:00 tcp $TARGET;53 <- 216.34.77.12;1024 54 syn
Sep  1 10:46:05 tcp $TARGET;123 <- 216.34.77.12;1024 54 syn
Sep  1 10:46:10 tcp $TARGET;113 <- 216.34.77.12;1024 54 syn

Sep  2 16:45:29 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  2 16:45:30 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  2 16:45:40 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  2 16:45:45 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  2 16:45:50 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Sep  2 16:45:55 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Sep  2 16:46:00 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn 

Sep  3 12:49:38 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  3 12:49:39 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  3 12:49:49 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  3 12:49:54 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  3 12:49:58 tcp $TARGET;53 <- 216.34.77.12;1024 54 syn
Sep  3 12:50:03 tcp $TARGET;123 <- 216.34.77.12;1024 54 syn
Sep  3 12:50:08 tcp $TARGET;113 <- 216.34.77.12;1024 54 syn

Sep  4 19:08:58 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  4 19:08:59 8/0/icmp $TARGET <- 204.71.128.148 98 
Sep  4 19:09:09 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:14 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:19 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:24 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn 
Sep  4 19:09:29 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn

Sep  5 15:28:51 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  5 15:28:52 8/0/icmp $TARGET <- 216.34.77.12 98
Sep  5 15:29:02 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:07 tcp $TARGET;22 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:12 tcp $TARGET;53 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:17 tcp $TARGET;123 <- 216.34.77.12;1024 54 syn
Sep  5 15:29:22 tcp $TARGET;113 <- 216.34.77.12;1024 54 syn
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jens Hektor: "Re: Strange traffic"
Previous message: Russell Fulton: "Code red variants?"
Next in thread: Jens Hektor: "Re: Strange traffic"
Reply: Jens Hektor: "Re: Strange traffic"
Reply: Todd Ransom: "Re: Strange traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 17:34:51 PDT