We've observed two disparate clients apparently rooted (both are Win2K I believe), being used to packet flood a variety of Microsoft sites (msn.com, hotmail.com and microsoft.com itself). Just a few seconds of IP accounting showed: Destination Packets Bytes 64.4.32.251 14201 20940508 207.68.171.254 11862 17764328 64.4.32.1 12142 18184104 207.46.197.102 59698 89401960 These clients are on very different CIDR blocks (from the first octet). We don't have any further information at this time, other than one client saturated their T1 and the other saturated a 10Mb/s connection. I haven't observed any noticeable impacts to the microsoft sites being attacked. We have been able to track back the activity on MRTG graphs to last Thurs for both clients. We investigated the traffic volume the first day it appeared and at that time saw what appeared to be an attack against two hosts in .fr and one in .de. The client assured us at this time it was legitimate traffic. A port scan of one of the infected hosts shows: 7 Echo 9 Discard 13 Daytime 17 Quote of the Day 19 Character Generator 21 File Transfer Protocol [Control] 25 Simple Mail Transfer 80 World Wide Web HTTP 135 DCE endpoint resolution 139 NETBIOS Session Service 443 https MCom 445 Microsoft-DS 548 AFP over TCP 1025 network blackjack 1026 1027 ICQ? 1433 Microsoft-SQL-Server 5631 pcANYWHEREdata The client claims that they are not running Appletalk (548) but I'm not sure whether to believe. We haven't been able to get console access to that machine to do any further investigation (but have blocked it upstream). Of the above services, most look legit from what I can tell with the exception of 548 and 1025-1027 Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 15:36:11 PST