Distributed ICMP/UDP scan or attack?

From: Jason Dixon (jasondixonat_private)
Date: Sun Jun 16 2002 - 03:49:18 PDT

Next message: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"

Previous message: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
Reply: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
Reply: Edward Beheler: "RE: Distributed ICMP/UDP scan or attack?"
Reply: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all:

Please excuse me if this is a newbie question, I'm not sure how to go
about searching for answers on intrustion/scanner patterns and the
like.  I noticed this series of scans/connections in my firewall log
this morning.  The first thing that came to mind was the Bind 9
vulnerability, but there aren't any exploits available yet, IIRC.

As you can see, there was a series of three icmp queries followed by two
unsuccessful DNS connections.  Has anyone seen this?  

< Jun  15  15:47:31  dc0  208.185.54.14  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  64.15.251.198  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  213.61.6.2  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  207.235.98.194  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  64.0.96.12  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  209.240.77.130  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  65.119.25.162  ->  x.x.x.x  icmp
< Jun  15  15:47:31  dc0  204.176.88.5  ->  x.x.x.x  icmp
< Jun  15  15:47:32  dc0  64.14.117.10  ->  x.x.x.x  icmp
< Jun  15  15:47:32  dc0  212.62.17.145  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  64.15.251.198  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  208.185.54.14  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  213.61.6.2  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  207.235.98.194  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  64.0.96.12  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  209.240.77.130  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  204.176.88.5  ->  x.x.x.x  icmp
< Jun  15  15:47:42  dc0  65.119.25.162  ->  x.x.x.x  icmp
< Jun  15  15:47:43  dc0  64.14.117.10  ->  x.x.x.x  icmp
< Jun  15  15:47:43  dc0  212.62.17.145  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  208.185.54.14  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.15.251.198  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  213.61.6.2  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  207.235.98.194  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.0.96.12  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  209.240.77.130  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  65.119.25.162  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  204.176.88.5  ->  x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.14.117.10  ->  x.x.x.x  icmp
< Jun  15  15:47:53  dc0  212.62.17.145  ->  x.x.x.x  icmp
< Jun  15  15:48:01  dc0  208.185.54.14,1687  ->  x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  64.15.251.198,32865  ->  x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  213.61.6.2,17613  ->  x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  207.235.98.194,54613  ->  x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  64.0.96.12,50831  ->  x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  209.240.77.130,39805  ->  x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  65.119.25.162,3058  ->  x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  204.176.88.5,8329  ->  x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  64.14.117.10,4502  ->  x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  212.62.17.145,54557  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  64.15.251.198,32865  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  208.185.54.14,1687  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  213.61.6.2,17613  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  207.235.98.194,54613  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  64.0.96.12,50831  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  209.240.77.130,39805  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  65.119.25.162,3058  ->  x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  204.176.88.5,8329  ->  x.x.x.x,53  udp
< Jun  15  15:48:12  dc0  64.14.117.10,4502  ->  x.x.x.x,53  udp
< Jun  15  15:48:12  dc0  212.62.17.145,54557  ->  x.x.x.x,53  udp

-- 
Jason Dixon
RHCE


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
Previous message: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
Reply: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
Reply: Edward Beheler: "RE: Distributed ICMP/UDP scan or attack?"
Reply: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 08:35:06 PDT