North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Tracing where it started
- From: Travis Pugh
- Date: Sat Jan 25 18:49:04 2003
According to Clayton Fiske:
> Interestingly, looking through my logs for UDP 1434, I saw a
> scan of my subnet like so:
> Jan 16 08:15:51 18.104.22.168,53 -> x.x.x.1,1434 PR udp len 20 33
> Jan 16 08:15:51 22.214.171.124,53 -> x.x.x.2,1434 PR udp len 20 33
> Jan 16 08:15:51 126.96.36.199,53 -> x.x.x.3,1434 PR udp len 20 33
> All from 188.8.131.52, all source port 53 (probably trying to
> use people's DNS firewall rules to get around being filtered).
> After that, I saw nothing until the storm started last night from
> different source IPs, which was at Jan 24 21:31:53 PST for me.
Ditto on the sequential scan well before the actual action, except
that mine came on Jan. 19th:
Jan 19 10:59:11 Deny inbound UDP from 184.108.40.206/1 to xxx.xxx.xxx.xxx
The scan went across several subnets I manage inside 220.127.116.11
serially. My sources were all from 18.104.22.168, all source port 1.
The actual worm propagation began to hit my logs at 00:28:16 EST Jan