Re: Ip spoof from 0.0.0.0

From: Mike Maxwell (mmaxwellat_private)
Date: Tue Nov 05 2002 - 08:54:27 PST

Next message: Bojan Zdrnja: "RE: anoat_private ftpd dip.t-dialin.net"

Previous message: Mike Lewinski: "Re: Ip spoof from 0.0.0.0"
In reply to: Ingersoll, Jared: "Ip spoof from 0.0.0.0"
Next in thread: Onsite West Houston: "RE: Ip spoof from 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We have also been seeing this activity for several days now. It is all 
directed to port 445. I assume it is some type of port harvesting 
attempt and have been paying close attention to Internet facing hosts.

11/05/2002 11:17:08.352 - 	IP spoof detected - 	Source:0.0.0.0, 3442, 
WAN - 	Destination:a.b.c.120, 445, LAN -
11/05/2002 10:25:20.592 - 	IP spoof detected - 	Source:0.0.0.0, 1488, 
WAN - 	Destination:a.b.d.96, 445, LAN
11/05/2002 08:58:16.688 - 	IP spoof detected - 	Source:0.0.0.0, 2062, 
WAN - 	Destination:a.b.e.61, 445, LAN
11/05/2002 08:25:21.768 - 	IP spoof detected - 	Source:0.0.0.0, 2537, 
WAN - 	Destination:a.b.f.127, 445, LAN -

Ingersoll, Jared wrote:
> I was hoping someone could tell me whether this is a misconfigured device
> (perhaps) or is this activity I should be concerned with (and please keep
> any witless banter regarding my use of 'concerned with' to yourself-
> thanks!). 
> 
> These are SYSLOG entries from my firewall (PIX). (the x.x.x.X are static
> address on the external interface).
> 
> -Jared
> 
> urchin 7% grep spoof oSYSLOG
> Nov  1 01:42:44 2U:10.1.1.1 Nov 01 2002 01:50:32: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.5
> Nov  1 01:58:04 2U:10.1.1.1 Nov 01 2002 02:05:51: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.34
> Nov  1 02:41:50 2U:10.1.1.1 Nov 01 2002 02:49:37: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.37
> Nov  1 04:36:35 2U:10.1.1.1 Nov 01 2002 04:44:22: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.19
> Nov  1 08:18:42 2U:10.1.1.1 Nov 01 2002 08:26:30: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.16
> Nov  1 08:27:31 2U:10.1.1.1 Nov 01 2002 08:35:19: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.32
> Nov  1 09:32:08 2U:10.1.1.1 Nov 01 2002 09:39:56: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.33
> Nov  1 10:42:02 2U:10.1.1.1 Nov 01 2002 10:49:48: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.34
> Nov  1 18:33:05 2U:10.1.1.1 Nov 01 2002 18:40:51: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.21
> Nov  2 00:10:06 2U:10.1.1.1 Nov 02 2002 00:17:53: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.7
> Nov  2 01:54:34 2U:10.1.1.1 Nov 02 2002 02:02:20: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.35
> Nov  2 08:22:47 2U:10.1.1.1 Nov 02 2002 08:30:33: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.21
> Nov  2 16:18:40 2U:10.1.1.1 Nov 02 2002 16:26:29: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.33
> Nov  2 20:33:58 2U:10.1.1.1 Nov 02 2002 20:41:45: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.22
> Nov  2 22:31:45 2U:10.1.1.1 Nov 02 2002 22:39:34: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.15
> urchin 8% grep spoof SYSLOG
> Nov  3 03:49:52 2U:10.1.1.1 Nov 03 2002 03:57:39: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.33
> Nov  3 06:58:18 2U:10.1.1.1 Nov 03 2002 07:06:07: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.37
> Nov  3 08:06:33 2U:10.1.1.1 Nov 03 2002 08:14:21: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.22
> Nov  3 12:32:45 2U:10.1.1.1 Nov 03 2002 12:40:34: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.15
> Nov  3 16:51:02 2U:10.1.1.1 Nov 03 2002 16:58:50: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.30
> Nov  3 19:30:21 2U:10.1.1.1 Nov 03 2002 19:38:11: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.39
> Nov  3 21:04:12 2U:10.1.1.1 Nov 03 2002 21:12:00: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.33
> Nov  4 00:31:34 2U:10.1.1.1 Nov 04 2002 00:39:24: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.5
> Nov  4 03:06:55 2U:10.1.1.1 Nov 04 2002 03:14:44: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.12
> Nov  4 03:16:12 2U:10.1.1.1 Nov 04 2002 03:24:01: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.15
> Nov  4 04:03:17 2U:10.1.1.1 Nov 04 2002 04:11:05: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.13
> Nov  4 04:08:19 2U:10.1.1.1 Nov 04 2002 04:16:08: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.16
> Nov  4 04:21:53 2U:10.1.1.1 Nov 04 2002 04:29:41: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.30
> Nov  4 05:27:16 2U:10.1.1.1 Nov 04 2002 05:35:04: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.30
> Nov  4 08:38:26 2U:10.1.1.1 Nov 04 2002 08:46:16: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.34
> Nov  4 13:33:28 2U:10.1.1.1 Nov 04 2002 13:41:18: %PIX-2-106016: Deny IP
> spoof from (0.0.0.0) to x.x.x.19
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 
> 

-- 
*******************************
*  Mike Maxwell  GCIA         *
*  System Manager--GMA        *
*  mmaxwellat_private         *
*******************************


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bojan Zdrnja: "RE: anoat_private ftpd dip.t-dialin.net"
Previous message: Mike Lewinski: "Re: Ip spoof from 0.0.0.0"
In reply to: Ingersoll, Jared: "Ip spoof from 0.0.0.0"
Next in thread: Onsite West Houston: "RE: Ip spoof from 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 03:11:08 PST