Re: Possible variant of Blaster/Nachi/Welchia? (more)

From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 09/26/03

  • Next message: Jeff Kell: "Re: Possible variant of Blaster/Nachi/Welchia? (full sample)" 
    Date: Fri, 26 Sep 2003 11:40:20 -0400
To: Jeff Kell <jeff-kell@utc.edu>

    Jeff Kell wrote:
    > I have seen some STRANGE traffic on our dorms this morning. The dorms
    > are all on a private network 172.18.0.0. I have hosts (10 so far) that
    > are doing this:
    >
    > spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123
    > same spoof 172.x.x.x ICMP --> another random 172.x.x.x
    > same spoof 172.x.x.x ICMP --> another random 172.x.x.x

    I just noticed the initial udp:123 destination is a valid NTP source,
    usually time.windows.com:

    > Sep 26 10:43:05.596 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.165.225.160(123) -> 207.46.130.100(123), 1 packet
    > Sep 26 10:58:50.491 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.141.193.21(123) -> 207.46.130.100(123), 1 packet
    > Sep 26 11:05:16.102 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.152.89.157(123) -> 132.163.4.102(123), 1 packet
    > Sep 26 11:05:56.831 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.129.185.162(123) -> 207.46.130.100(123), 1 packet
    > Sep 26 11:16:58.948 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.128.177.27(123) -> 207.46.130.100(123), 1 packet
    > Sep 26 11:25:08.162 EDT: %SEC-6-IPACCESSLOGP: list netcop denied udp 172.140.133.74(123) -> 207.46.130.100(123), 1 packet

    The ICMP targets still appear to be random 172.x.x.x.

    Jeff

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Jeff Kell: "Re: Possible variant of Blaster/Nachi/Welchia? (full sample)"