Re: Strange traffic

• Previous message: auto230111at_private: "Strange traffic"
• Maybe in reply to: auto230111at_private: "Strange traffic"
• Next in thread: Todd Ransom: "Re: Strange traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 > Over the past 2 weeks we've started to recieved some pretty
 > strange traffic which has been stopped at our border. The
 > $TARGET host in each case is the same.

Yes, it started back in the beginning of August.

** Aug 3 06:53:24 - Aug 3 06:53:39: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 3 07:07:08 - Aug 3 07:07:23: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 21 08:01:56 - Aug 21 08:02:11: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 21 08:15:17 - Aug 21 08:15:32: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 22 19:16:20 - Aug 22 19:16:35: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 22 19:28:46 - Aug 22 19:29:01: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 24 15:38:47 - Aug 24 15:39:02: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 24 17:00:14 - Aug 24 17:00:29: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 26 14:41:31 - Aug 26 14:41:46: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 26 16:04:13 - Aug 26 16:04:28: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 28 14:28:14 - Aug 28 14:28:29: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 28 15:51:42 - Aug 28 15:51:57: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 30 14:59:12 - Aug 30 14:59:26: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Aug 30 16:23:56 - Aug 30 16:24:11: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Aug 31 12:02:51 - Aug 31 12:03:06: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 1 16:27:09 - Sep 1 16:27:24: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Sep 1 17:52:55 - Sep 1 17:53:10: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Sep 2 13:54:04 - Sep 2 13:54:19: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 3 18:42:23 - Sep 3 18:42:38: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Sep 3 20:09:10 - Sep 3 20:09:25: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp
** Sep 4 16:21:47 - Sep 4 16:22:02: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 4 16:21:47 - Sep 4 16:22:02: 216.34.77.12 3  Proto: TCP, Ports: ssh ntp
** Sep 5 21:27:05 - Sep 5 21:27:20: 64.15.202.142 3  Proto: TCP, Ports: ssh ntp
** Sep 5 22:54:38 - Sep 5 22:54:53: 204.71.128.148 3  Proto: TCP, Ports: ssh ntp


 > Q. Has anyone seen anything like this? Any thoughts??

There were some vuln in SSH and AFAIR in XNTP too.

Bye, Jens Hektor

-- 
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, network operation & security
mailto:hektorat_private-Aachen.DE, Tel.: +49 241 80 29206, Raum: 2.35


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Soeren Ziehe: "Re: Lengthy probes of port 8500"
• Previous message: auto230111at_private: "Strange traffic"
• Maybe in reply to: auto230111at_private: "Strange traffic"
• Next in thread: Todd Ransom: "Re: Strange traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 08:04:13 PDT