Looks to me like a ping followed by a UDP connect. Ten Extra IP addresses were probably inserted as decoys. I would assert that only one of those eleven IPs are your scanner. I believe that NMAP would look like this, if configured to ping first and use ten decoys. Blocking icmp at your firewall is a good way mitigate blind scans. J Jewitt --- Jason Dixon <jasondixonat_private> wrote: > Hi all: > > Please excuse me if this is a newbie question, I'm > not sure how to go > about searching for answers on intrustion/scanner > patterns and the > like. I noticed this series of scans/connections in > my firewall log > this morning. The first thing that came to mind was > the Bind 9 > vulnerability, but there aren't any exploits > available yet, IIRC. > > As you can see, there was a series of three icmp > queries followed by two > unsuccessful DNS connections. Has anyone seen this? > > > < Jun 15 15:47:31 dc0 208.185.54.14 -> x.x.x.x > icmp > < Jun 15 15:47:31 dc0 64.15.251.198 -> x.x.x.x > icmp > < Jun 15 15:47:31 dc0 213.61.6.2 -> x.x.x.x > icmp > < Jun 15 15:47:31 dc0 207.235.98.194 -> > x.x.x.x icmp > < Jun 15 15:47:31 dc0 64.0.96.12 -> x.x.x.x > icmp > < Jun 15 15:47:31 dc0 209.240.77.130 -> > x.x.x.x icmp > < Jun 15 15:47:31 dc0 65.119.25.162 -> x.x.x.x > icmp > < Jun 15 15:47:31 dc0 204.176.88.5 -> x.x.x.x > icmp > < Jun 15 15:47:32 dc0 64.14.117.10 -> x.x.x.x > icmp > < Jun 15 15:47:32 dc0 212.62.17.145 -> x.x.x.x > icmp > < Jun 15 15:47:42 dc0 64.15.251.198 -> x.x.x.x > icmp > < Jun 15 15:47:42 dc0 208.185.54.14 -> x.x.x.x > icmp > < Jun 15 15:47:42 dc0 213.61.6.2 -> x.x.x.x > icmp > < Jun 15 15:47:42 dc0 207.235.98.194 -> > x.x.x.x icmp > < Jun 15 15:47:42 dc0 64.0.96.12 -> x.x.x.x > icmp > < Jun 15 15:47:42 dc0 209.240.77.130 -> > x.x.x.x icmp > < Jun 15 15:47:42 dc0 204.176.88.5 -> x.x.x.x > icmp > < Jun 15 15:47:42 dc0 65.119.25.162 -> x.x.x.x > icmp > < Jun 15 15:47:43 dc0 64.14.117.10 -> x.x.x.x > icmp > < Jun 15 15:47:43 dc0 212.62.17.145 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 208.185.54.14 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 64.15.251.198 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 213.61.6.2 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 207.235.98.194 -> > x.x.x.x icmp > < Jun 15 15:47:52 dc0 64.0.96.12 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 209.240.77.130 -> > x.x.x.x icmp > < Jun 15 15:47:52 dc0 65.119.25.162 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 204.176.88.5 -> x.x.x.x > icmp > < Jun 15 15:47:52 dc0 64.14.117.10 -> x.x.x.x > icmp > < Jun 15 15:47:53 dc0 212.62.17.145 -> x.x.x.x > icmp > < Jun 15 15:48:01 dc0 208.185.54.14,1687 -> > x.x.x.x,53 udp > < Jun 15 15:48:01 dc0 64.15.251.198,32865 -> > x.x.x.x,53 udp > < Jun 15 15:48:01 dc0 213.61.6.2,17613 -> > x.x.x.x,53 udp > < Jun 15 15:48:01 dc0 207.235.98.194,54613 -> > x.x.x.x,53 udp > < Jun 15 15:48:01 dc0 64.0.96.12,50831 -> > x.x.x.x,53 udp > < Jun 15 15:48:02 dc0 209.240.77.130,39805 -> > x.x.x.x,53 udp > < Jun 15 15:48:02 dc0 65.119.25.162,3058 -> > x.x.x.x,53 udp > < Jun 15 15:48:02 dc0 204.176.88.5,8329 -> > x.x.x.x,53 udp > < Jun 15 15:48:02 dc0 64.14.117.10,4502 -> > x.x.x.x,53 udp > < Jun 15 15:48:02 dc0 212.62.17.145,54557 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 64.15.251.198,32865 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 208.185.54.14,1687 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 213.61.6.2,17613 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 207.235.98.194,54613 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 64.0.96.12,50831 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 209.240.77.130,39805 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 65.119.25.162,3058 -> > x.x.x.x,53 udp > < Jun 15 15:48:11 dc0 204.176.88.5,8329 -> > x.x.x.x,53 udp > < Jun 15 15:48:12 dc0 64.14.117.10,4502 -> > x.x.x.x,53 udp > < Jun 15 15:48:12 dc0 212.62.17.145,54557 -> > x.x.x.x,53 udp > > -- > Jason Dixon > RHCE > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 13:04:38 PDT