> Over the past 2 weeks we've started to recieved some pretty > strange traffic which has been stopped at our border. The > $TARGET host in each case is the same. Yes, it started back in the beginning of August. ** Aug 3 06:53:24 - Aug 3 06:53:39: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 3 07:07:08 - Aug 3 07:07:23: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 21 08:01:56 - Aug 21 08:02:11: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 21 08:15:17 - Aug 21 08:15:32: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 22 19:16:20 - Aug 22 19:16:35: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 22 19:28:46 - Aug 22 19:29:01: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 24 15:38:47 - Aug 24 15:39:02: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 24 17:00:14 - Aug 24 17:00:29: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 26 14:41:31 - Aug 26 14:41:46: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 26 16:04:13 - Aug 26 16:04:28: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 28 14:28:14 - Aug 28 14:28:29: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 28 15:51:42 - Aug 28 15:51:57: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 30 14:59:12 - Aug 30 14:59:26: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Aug 30 16:23:56 - Aug 30 16:24:11: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Aug 31 12:02:51 - Aug 31 12:03:06: 216.34.77.12 3 Proto: TCP, Ports: ssh ntp ** Sep 1 16:27:09 - Sep 1 16:27:24: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Sep 1 17:52:55 - Sep 1 17:53:10: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Sep 2 13:54:04 - Sep 2 13:54:19: 216.34.77.12 3 Proto: TCP, Ports: ssh ntp ** Sep 3 18:42:23 - Sep 3 18:42:38: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Sep 3 20:09:10 - Sep 3 20:09:25: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp ** Sep 4 16:21:47 - Sep 4 16:22:02: 216.34.77.12 3 Proto: TCP, Ports: ssh ntp ** Sep 4 16:21:47 - Sep 4 16:22:02: 216.34.77.12 3 Proto: TCP, Ports: ssh ntp ** Sep 5 21:27:05 - Sep 5 21:27:20: 64.15.202.142 3 Proto: TCP, Ports: ssh ntp ** Sep 5 22:54:38 - Sep 5 22:54:53: 204.71.128.148 3 Proto: TCP, Ports: ssh ntp > Q. Has anyone seen anything like this? Any thoughts?? There were some vuln in SSH and AFAIR in XNTP too. Bye, Jens Hektor -- Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen Computing Center Technical University Aachen, network operation & security mailto:hektorat_private-Aachen.DE, Tel.: +49 241 80 29206, Raum: 2.35 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 08:04:13 PDT