Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: attack

Re: attack

From: Randy Mclean <rmclean_at_NATDOOR.COM>
Date: Thu, 7 Sep 2000 13:42:07 -0500

Well I don't recognize the attack, but it looks like they spoofed most the
addresses (much like decoy feature of nmap). I say this because what are
the chances of 4 different hosts that have the same source and destination
port making requests within seconds of each other. Normally(but not always)
in a decoy scan one of the host name will be the correct attacking host,
but it not easy to find out real host from the decoys. I'm not sure if this
message will help you much, but that my 2 cents worth.

At 08:19 AM 9/7/2000 +0200, Tommy Axelsson wrote:
>Hello
>
>A couple of days ago we had an incident that forced us to reboot our server
>that also works as a gateway.
>We are running Linux 6.2 and are using ip-masquerading and squid.
>First we had an unusual amount of icmp echo requests. Then there was a lot
>of udp datagrams of which only a few are shown below.
>The first batch of packets all came from dial-up connections. The second
>batch mostly came from adresses in Korea.
>
>Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>cx159639-a.irvn1.occa.home.com:13139 (32 data bytes)
>Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>modem-216.jewel-puffer.dialup.pol.co.uk:13139 (32 data bytes)
>Sep 3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>modem-171.imperator-angel.dialup.pol.co.uk:13139 (32 data bytes)
>Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>lph2-2ac.twcny.rr.com:13139 (32 data bytes)
>Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>pec-52-211.tnt1.b2.uunet.de:13139 (32 data bytes)
>Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>modem-51.lemonpeel-angel.dialup.pol.co.uk:13139 (32 data bytes)
>Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>nas-33-196.stockton.navipath.net:13139 (32 data bytes)
>Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>223-ALIC-X8.libre.retevision.es:13139 (32 data bytes)
>Sep 3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>user35-67.jakinternet.co.uk:13139 (32 data bytes)
>Sep 3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>modem-250.blue-streak-damsel.dialup.pol.co.uk:13139 (32 data bytes)
>Sep 3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>sy-as-08-167.free.net.au:13139 (32 data bytes)
>Sep 3 13:09:20 gw iplog[3265]: UDP: dgram to gw:port 13139 from
>stargate238-55.salzburg-online.at:13139 (32 data bytes)
>
>Sep 3 16:50:08 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>ip238.kjnxr3.ras.tele.dk:28800 (4 data bytes)
>Sep 3 16:51:02 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.169.161.39:28800 (4 data bytes)
>Sep 3 16:51:04 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>s210-219-151-19.thrunet.ne.kr:28800 (4 data bytes)
>Sep 3 16:51:06 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>s210-205-134-190.thrunet.ne.kr:28800 (4 data bytes)
>Sep 3 16:51:10 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.110.18.217:28800 (4 data bytes)
>Sep 3 16:51:15 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.38.104.212:28800 (4 data bytes)
>Sep 3 16:51:27 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>210.182.122.45:28800 (4 data bytes)
>Sep 3 16:51:29 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.58.34.139:28800 (4 data bytes)
>Sep 3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>210.207.24.168:28800 (4 data bytes)
>Sep 3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>cr357836-a.flfrd1.on.wave.home.com:28800 (4 data bytes)
>Sep 3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.200.19.78:28800 (4 data bytes)
>Sep 3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>ip66.portland8.or.pub-ip.psi.net:28800 (4 data bytes)
>Sep 3 16:51:38 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.118.14.251:28800 (4 data bytes)
>Sep 3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>210.113.82.165:28800 (4 data bytes)
>Sep 3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
>211.176.7.151:28800 (4 data bytes)
>
>Anyone who knows what this could be?
>
>Regards
>
>Tommy Axelsson 

--
Randy Mclean
Security/Network Administrator
rmclean_at_natdoor.com
Received on Sep 07 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos