A pattern of UDP packets, with incrementing destination ports in the range 33434-33523, is almost assuredly a traceroute initiated by host x.y.z.w . If you want to confirm it, compare TTL values of the packets in question: they should increment by 1 with each successive UDP port. Every standard traceroute I've seen, though, has sent three packets for each (TTL value/UDP destination port) pair. Do I understand correctly that you only saw one per? -g On 25 Sep 2002, Gordon Chamberlin wrote: >... There was one very odd scan that has me concerned. > > The firewall logged packets going from a different server, not the > infected one, to 212.82.211.42: > > Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0 > SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664 > PROTO=UDP SPT=1370 DPT=33501 LEN=18 > > There are eight of these messages with DPT proceeding sequential from > 33501 to 33508, inclusive, within 30 seconds. > > Questions: > Was this other host infected with something? I have searched it but > been unable to find any traces of hacking. > > > Assuming w.x.y.z hasn't been cracked, how did someone convince my server > to try to contact 212.82.211.42? > > > Any other insight or advice? > > > Thanks. > -Gordon > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > Glenn Forbes Fleming Larratt Rice University Network Management glrattat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 20:57:33 PDT