Security Incidents mailing list archives

RE: Code red probe followed by udp port 10x

From: Michael Tucker <mtucker () energygraphics com>
Date: Thu, 2 Aug 2001 15:40:23 -0500

I offer three theoretical explanations for the observed increase in bogus
activity:

1) The original attackers (or some copycats inspired by them), seeing the
success of Code Red, are pressing the attack using a variety of methods.

2) All this media hype has inspired every bored kid who's still on summer
break to see what they can hack into before they have to go back to school.

3) We (sysadmins) are being much more observant than usual, due to our
concerns about Code Red. The paradox of Schrodinger's Cat applies: (our
perception of) the data has been affected by our observation.

I'm voting for 4) All the above. :-)

Yours,
Michael
-----
Michael C. Tucker           |  Java Developer
Energy Graphics, Inc.       |  Software Engineer
mtucker () energygraphics com  |  Sun Certified System Engineer

It's the action, not the fruit of the action that's important.  You have
to do the right thing...  You may never know what results come from your
action.  But if you do nothing, there will be no result.  (Gandhi)

-----Original Message-----
From: Paul Gear [mailto:paulgear () bigfoot com]
Sent: Thursday, August 02, 2001 9:01 AM
To: SecurityFocus Incidents List
Subject: Re: Code red probe followed by udp port 10x

I've seen quite a few similar probes, but always on 1025.  Previously
i have found information that suggests that this is a Windows NT RPC
service.

My log entries look like this:
Aug  1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17
65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66)

I've only ever had one such probe before, but yesterday i got around
20 total, from diverse networks (home.com, kornet.net, hinet.net,
chinanet.cn.net, etc.).

However, i can't see any direct correlation with Code Red - i got 56
probes from Code Red on 20 July, then nothing until today (2 August,
GMT+1000 timezone) - 24 of them so far.   Is someone perhaps trying to
hide some other probe activity in Code Red's traffic?

Paul
http://paulgear.webhop.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Code red probe followed by udp port 10x Paul Gear (Aug 01)
- <Possible follow-ups>
- Re: Code red probe followed by udp port 10x Paul Gear (Aug 02)
- RE: Code red probe followed by udp port 10x Michael Tucker (Aug 03)