RE: Odd worm traffic?

From: Jerry Heidtke (jheidtke_at_fmlh.edu)
Date: 08/26/03

  • Next message: fergus: "Re: Increasing ICMP Echo Requests"
    Date: Tue, 26 Aug 2003 14:42:56 -0500
    To: "Chris Boyd" <cboyd@gizmopartners.com>, <incidents@securityfocus.com>
    
    

    This is probably a Blaster-infected machine with an incorrect date, or
    just rebooted, trying it's DOS against windowsupdate.com. The ISP
    probably added a DNS entry pointing windowsupdate.com to 127.0.0.1.
    Blaster sends a packet to 127.0.0.1:80 with a spoofed source address
    within the local address range. Since there is not a web server on that
    box, it responds to the spoofed addresses/ports with a RST packet.

    If the ISP had not tried to be "helpful" by adding a DNS entry, Blaster
    would be unable to resolve the address, and would skip the DOS routine.

    Jerry

    -----Original Message-----
    From: Chris Boyd [mailto:cboyd@gizmopartners.com]
    Sent: Tuesday, August 26, 2003 10:31 AM
    To: incidents@securityfocus.com
    Subject: Odd worm traffic?

    Just after midnight local time, one my IDS boxes that monitors a small
    residential broadband network lit up with a bunch of traffic using
    spoofed source IP of 127.0.0.1, source port 80, destination IPs all
    over the /16, dest ports all in the range of 1002-1992.

    Googling for a pattern like this doesn't turn up much, and no exact
    match. Anyone else seen similar?

    --Chris

    ------------------------------------------------------------------------

    ---
    Attend Black Hat Briefings & Training Federal, September 29-30
    (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event
    in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September
    6.Visit us: www.blackhat.com
    ------------------------------------------------------------------------
    ----
    Confidentiality Notice: This e-mail message, including any attachments,
    is for the sole use of the intended recipient(s) and may contain
    confidential and privileged information.  Any unauthorized review, use,
    disclosure or distribution is prohibited.  If you are not the intended
    recipient, please contact the sender by reply e-mail and destroy all
    copies of the original message.
    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
    technical IT security event.  Modeled after the famous Black Hat event in 
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
    Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: fergus: "Re: Increasing ICMP Echo Requests"

    Relevant Pages

    • Re: Can anyone identify this possible backdoor?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)
    • RE: Re: Hunting for Mr Badmouth
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ... Attend Black Hat Briefings & Training Federal, September 29-30, ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, ... Modeled after the famous Black Hat event ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: Windows XP Pro cracker?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in Las Vegas! ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • RE: Can anyone identify this possible backdoor?
      ... Attend Black Hat Briefings & Training Federal, September 29-30, ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Incidents)