Hi all: Please excuse me if this is a newbie question, I'm not sure how to go about searching for answers on intrustion/scanner patterns and the like. I noticed this series of scans/connections in my firewall log this morning. The first thing that came to mind was the Bind 9 vulnerability, but there aren't any exploits available yet, IIRC. As you can see, there was a series of three icmp queries followed by two unsuccessful DNS connections. Has anyone seen this? < Jun 15 15:47:31 dc0 208.185.54.14 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 64.15.251.198 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 213.61.6.2 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 207.235.98.194 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 64.0.96.12 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 209.240.77.130 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 65.119.25.162 -> x.x.x.x icmp < Jun 15 15:47:31 dc0 204.176.88.5 -> x.x.x.x icmp < Jun 15 15:47:32 dc0 64.14.117.10 -> x.x.x.x icmp < Jun 15 15:47:32 dc0 212.62.17.145 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 64.15.251.198 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 208.185.54.14 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 213.61.6.2 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 207.235.98.194 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 64.0.96.12 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 209.240.77.130 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 204.176.88.5 -> x.x.x.x icmp < Jun 15 15:47:42 dc0 65.119.25.162 -> x.x.x.x icmp < Jun 15 15:47:43 dc0 64.14.117.10 -> x.x.x.x icmp < Jun 15 15:47:43 dc0 212.62.17.145 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 208.185.54.14 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 64.15.251.198 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 213.61.6.2 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 207.235.98.194 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 64.0.96.12 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 209.240.77.130 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 65.119.25.162 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 204.176.88.5 -> x.x.x.x icmp < Jun 15 15:47:52 dc0 64.14.117.10 -> x.x.x.x icmp < Jun 15 15:47:53 dc0 212.62.17.145 -> x.x.x.x icmp < Jun 15 15:48:01 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 207.235.98.194,54613 -> x.x.x.x,53 udp < Jun 15 15:48:01 dc0 64.0.96.12,50831 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 209.240.77.130,39805 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 65.119.25.162,3058 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 204.176.88.5,8329 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 64.14.117.10,4502 -> x.x.x.x,53 udp < Jun 15 15:48:02 dc0 212.62.17.145,54557 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 207.235.98.194,54613 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 64.0.96.12,50831 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 209.240.77.130,39805 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 65.119.25.162,3058 -> x.x.x.x,53 udp < Jun 15 15:48:11 dc0 204.176.88.5,8329 -> x.x.x.x,53 udp < Jun 15 15:48:12 dc0 64.14.117.10,4502 -> x.x.x.x,53 udp < Jun 15 15:48:12 dc0 212.62.17.145,54557 -> x.x.x.x,53 udp -- Jason Dixon RHCE ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 08:35:06 PDT