North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Tracing where it started
- From: Travis Pugh
- Date: Sat Jan 25 18:49:04 2003
According to Clayton Fiske:
> Interestingly, looking through my logs for UDP 1434, I saw a
> scan of my subnet like so:
> Jan 16 08:15:51 126.96.36.199,53 -> x.x.x.1,1434 PR udp len 20 33
> Jan 16 08:15:51 188.8.131.52,53 -> x.x.x.2,1434 PR udp len 20 33
> Jan 16 08:15:51 184.108.40.206,53 -> x.x.x.3,1434 PR udp len 20 33
> All from 220.127.116.11, all source port 53 (probably trying to
> use people's DNS firewall rules to get around being filtered).
> After that, I saw nothing until the storm started last night from
> different source IPs, which was at Jan 24 21:31:53 PST for me.
Ditto on the sequential scan well before the actual action, except
that mine came on Jan. 19th:
Jan 19 10:59:11 Deny inbound UDP from 18.104.22.168/1 to xxx.xxx.xxx.xxx
The scan went across several subnets I manage inside 22.214.171.124
serially. My sources were all from 126.96.36.199, all source port 1.
The actual worm propagation began to hit my logs at 00:28:16 EST Jan