[logs] Strange Pix message

• Previous message: Eric Fitzgerald: "RE: [logs] [Windows Server 2003] Per-user auditing policy"
• Next in thread: Alexandre Dulaunoy: "Re: [logs] Strange Pix message"
• Reply: Alexandre Dulaunoy: "Re: [logs] Strange Pix message"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A bit of comic relief after all the intensity of the Windows RPC >crap<.
Anyone have any ideas what this might be?

And remember that classic advice from CERT's 'Intrusion Detection
Checklist': "The common item to look for when reviewing log files is
anything that appears out of the ordinary."

---------- Forwarded message
---------- Date: Mon, 15 Sep 2003 16:09:16 -0400
From: Jared Ingersoll <jaredat_private>
To: "'incidentsat_private'" <incidentsat_private>
Subject: Strange Pix message

Hi,

I was reviewing my pix syslog messages today and found a strange one from
yesterday morning at around 3 AM, Sunday:


Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
45305562%

The odd thing is that the percent utilization is somewhere around 45 million
percent. Our company operates during "bank hours" so activity at that time
of day is always viewed with a suspicious eye. I called Cisco support and
they were absolutely no help. They tried to pass it off as spoofed ip error
messages related to the blaster worm. With minimal questioning the tech
could not support that supposition at all (though I'm not saying he wasn't
right).

Leading up to the CPU message was a sequence of UDP port scans on port 135
and 1026, originating from port 666 (as follows):

Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
64.156.39.12/666 to x.x.x.x/135 on interface outside
Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
64.156.39.12/666 to x.x.x.x/1026 on interface outside

Can anyone shed some light on this?

Thanks,
Jared

---------------------
Jared Ingersoll
Fiserv CSW, Inc.
125 CambridgePark Dr.
Cambridge, MA 02140
t.617.354.1400 x237
f.617.498.0959
---------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Alexandre Dulaunoy: "Re: [logs] Strange Pix message"
• Previous message: Eric Fitzgerald: "RE: [logs] [Windows Server 2003] Per-user auditing policy"
• Next in thread: Alexandre Dulaunoy: "Re: [logs] Strange Pix message"
• Reply: Alexandre Dulaunoy: "Re: [logs] Strange Pix message"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 15 2003 - 23:14:13 PDT