Strange Pix message

From: Jared Ingersoll (jared_at_cswv.com)
Date: 09/15/03

Next message: Barbara Loehle: "Re: Strange Pix message <-- Pix-Bug: CSCdz66410"

Previous message: Brian Collins: "compromised RealServer 8 *followup*"
Next in thread: Barbara Loehle: "Re: Strange Pix message <-- Pix-Bug: CSCdz66410"
Reply: Barbara Loehle: "Re: Strange Pix message <-- Pix-Bug: CSCdz66410"
Maybe reply: Shafi, Shahid: "RE: Strange Pix message"
Reply: James Fields: "Re: Strange Pix message"
Reply: Dave: "Re: Strange Pix message"
Reply: Curt Purdy: "RE: [inbox] Strange Pix message"
Maybe reply: jamesworld_at_intelligencia.com: "Re: Strange Pix message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Mon, 15 Sep 2003 16:09:16 -0400

Hi,

I was reviewing my pix syslog messages today and found a strange one from
yesterday morning at around 3 AM, Sunday:

Sep 14 03:49:48 3U:x.x.x.x %PIX-3-211003: CPU utilization for 10 seconds =
45305562%

The odd thing is that the percent utilization is somewhere around 45 million
percent. Our company operates during "bank hours" so activity at that time
of day is always viewed with a suspicious eye. I called Cisco support and
they were absolutely no help. They tried to pass it off as spoofed ip error
messages related to the blaster worm. With minimal questioning the tech
could not support that supposition at all (though I'm not saying he wasn't
right).

Leading up to the CPU message was a sequence of UDP port scans on port 135
and 1026, originating from port 666 (as follows):

Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
64.156.39.12/666 to x.x.x.x/135 on interface outside
Sep 14 03:47:45 2U:x.x.x.x %PIX-2-106006: Deny inbound UDP from
64.156.39.12/666 to x.x.x.x/1026 on interface outside

Can anyone shed some light on this?

Thanks,
Jared

---------------------
Jared Ingersoll
Fiserv CSW, Inc.
125 CambridgePark Dr.
Cambridge, MA 02140
t.617.354.1400 x237
f.617.498.0959
---------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Barbara Loehle: "Re: Strange Pix message <-- Pix-Bug: CSCdz66410"

Previous message: Brian Collins: "compromised RealServer 8 *followup*"
Next in thread: Barbara Loehle: "Re: Strange Pix message <-- Pix-Bug: CSCdz66410"
Reply: Barbara Loehle: "Re: Strange Pix message <-- Pix-Bug: CSCdz66410"
Maybe reply: Shafi, Shahid: "RE: Strange Pix message"
Reply: James Fields: "Re: Strange Pix message"
Reply: Dave: "Re: Strange Pix message"
Reply: Curt Purdy: "RE: [inbox] Strange Pix message"
Maybe reply: jamesworld_at_intelligencia.com: "Re: Strange Pix message"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]