[logs] Strange Pix message

From: Tina Bird (tbird@precision-guesswork.com)
Date: Mon Sep 15 2003 - 23:10:11 PDT

  • Next message: Alexandre Dulaunoy: "Re: [logs] Strange Pix message"

    A bit of comic relief after all the intensity of the Windows RPC >crap<.
    Anyone have any ideas what this might be?
    
    And remember that classic advice from CERT's 'Intrusion Detection
    Checklist': "The common item to look for when reviewing log files is
    anything that appears out of the ordinary."
    
    ---------- Forwarded message
    ---------- Date: Mon, 15 Sep 2003 16:09:16 -0400
    From: Jared Ingersoll <jaredat_private>
    To: "'incidentsat_private'" <incidentsat_private>
    Subject: Strange Pix message
    
    Hi,
    
    I was reviewing my pix syslog messages today and found a strange one from
    yesterday morning at around 3 AM, Sunday:
    
    
    Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
    45305562%
    
    The odd thing is that the percent utilization is somewhere around 45 million
    percent. Our company operates during "bank hours" so activity at that time
    of day is always viewed with a suspicious eye. I called Cisco support and
    they were absolutely no help. They tried to pass it off as spoofed ip error
    messages related to the blaster worm. With minimal questioning the tech
    could not support that supposition at all (though I'm not saying he wasn't
    right).
    
    Leading up to the CPU message was a sequence of UDP port scans on port 135
    and 1026, originating from port 666 (as follows):
    
    Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
    64.156.39.12/666 to x.x.x.x/135 on interface outside
    Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
    64.156.39.12/666 to x.x.x.x/1026 on interface outside
    
    Can anyone shed some light on this?
    
    Thanks,
    Jared
    
    ---------------------
    Jared Ingersoll
    Fiserv CSW, Inc.
    125 CambridgePark Dr.
    Cambridge, MA 02140
    t.617.354.1400 x237
    f.617.498.0959
    ---------------------
    
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event.  Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Sep 15 2003 - 23:14:13 PDT