Strange back-orifice looking scan...

From: Jeff Kell (jeff-kellat_private)
Date: Wed Sep 04 2002 - 09:08:48 PDT

Next message: Garramone, Michael (CCI-Las Vegas): "RE: Any tcp/608 activity?"

Previous message: Johannes Ullrich: "Re: Any tcp/608 activity?"
Next in thread: KoRe MeLtDoWn: "Re: Strange back-orifice looking scan..."
Reply: KoRe MeLtDoWn: "Re: Strange back-orifice looking scan..."
Reply: Neil Dickey: "Re: Strange back-orifice looking scan..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This popped up on ingress this morning, apparently with forged source addresses (given the timing).  Didn't get a packet capture but just 
the signature (we block Back Orifice ports):

Sep  4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packet
Sep  4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packet

Any clues on this one?  Looks new to me...

Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Garramone, Michael (CCI-Las Vegas): "RE: Any tcp/608 activity?"
Previous message: Johannes Ullrich: "Re: Any tcp/608 activity?"
Next in thread: KoRe MeLtDoWn: "Re: Strange back-orifice looking scan..."
Reply: KoRe MeLtDoWn: "Re: Strange back-orifice looking scan..."
Reply: Neil Dickey: "Re: Strange back-orifice looking scan..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 13:23:39 PDT