Re: Worm on 445/tcp?

From: Ryan Yagatich (ryany@pantek.com)
Date: 12/18/02

Next message: Stephen Friedl: "Re: Worm on 445/tcp?"

Previous message: Joao Gouveia: "IRC -> smtp worm?"
In reply to: Stephen J. Friedl: "Re: Worm on 445/tcp?"
Next in thread: Stephen Friedl: "Re: Worm on 445/tcp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 Dec 2002 20:41:58 -0500 (EST)
From: Ryan Yagatich <ryany@pantek.com>
To: "Stephen J. Friedl" <steve@unixwiz.net>

Not sure if I follow with that one, per the following:
Dec 8 05:24:28 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=68.67.164.72
DST=216.144.8.165 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=6970 DF PROTO=TCP
SPT=4042 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 8 05:24:31 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=68.67.164.72
DST=216.144.8.165 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=7018 DF PROTO=TCP
SPT=4042 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 8 05:24:37 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=68.67.164.72
DST=216.144.8.165 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=7043 DF PROTO=TCP
SPT=4042 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 8 15:40:19 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=4.62.187.134
DST=216.144.8.191 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=34489 DF PROTO=TCP
SPT=3857 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 8 15:40:22 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=4.62.187.134
DST=216.144.8.191 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=34701 DF PROTO=TCP
SPT=3857 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 8 15:40:28 delta kernel: Rejected:IN=ppp0 OUT= MAC= SRC=4.62.187.134
DST=216.144.8.191 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=35014 DF PROTO=TCP
SPT=3857 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0

my second octect is 144, above the 127 rule. but, unless you are reading
backwards (and the second being the third and the fourth being the first)
then the 216 is still above the 127 rule... Then again, i may have missed
part of the posts and spt could be originating from 445 as well, which in
that case this could be just regular network rejects as usual.

,_____________________________________________________,
\ Ryan Yagatich support@pantek.com \
/ Pantek Incorporated (877) LINUX-FIX /
\ http://www.pantek.com (440) 519-1802 \
/ /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

On Tue, 17 Dec 2002, Stephen J. Friedl wrote:

>Scott A.McIntyre wrote:
>
<SNIP>
>
>The scanning pattern *is* random, though with a twist. It uses the
>rand() function twice to create a random IP address, but this function
>only has 15 bits of pseudorandomness. The upshot is that the second and
>fourth octets of the IP address will always be in the range 0..127. So
>my IP at home (64.170.X.X) won't ever get any hits.

</SNIP>
>
>Steve
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Stephen Friedl: "Re: Worm on 445/tcp?"
Previous message: Joao Gouveia: "IRC -> smtp worm?"
In reply to: Stephen J. Friedl: "Re: Worm on 445/tcp?"
Next in thread: Stephen Friedl: "Re: Worm on 445/tcp?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]