RE: Strange network activity

From: Dave Paris (dparis_at_w3works.com)
Date: 04/16/04

  • Next message: Roach4: "Follow-up: Strange network activity"
    To: <incidents@securityfocus.com>
    Date: Fri, 16 Apr 2004 14:53:12 -0400
    
    

    > -----Original Message-----
    > From: Roach4 [mailto:ml@undergroundportal.com]
    > Sent: Friday, April 16, 2004 10:39 AM
    > To: incidents@securityfocus.com
    > Subject: Strange network activity
    >
    >
    > Hi,
    >
    > Yesterday we noticed some strange traffic from some internal machines
    > trying to contact Japan IP addresses on the port 54875 like 300 times a
    > second. We left the office without worrying too much and we came back this
    > morning to see that there was external Japan IP addresses which was
    > querying internal machines for the RPC vulnerability.
    [...]

    "noticed...internal machines trying to contact...like 300 times a second."
    "left the office without worrying too much"

    Please tell me you left out a line line in your message like "so we
    firewalled off the internal machines from contacting (inbound and outbound)
    the suspect networks."

    If so, please disregard the remainder of this note.

    If not...
    Pardon me for throwing decorum (and sane-sounding responses) out the window,
    but WHAT IN THE HOLY HELL WERE YOU PEOPLE FREAKIN' THINKING WHEN YOU JUST UP
    AND LEFT??!! I mean really... 300 times a second and this didn't set off
    any bells in your heads that there just *might* be a wee bit of a problem on
    your network?!?

    [Shaking my head in disbelief]
    -dsp

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Roach4: "Follow-up: Strange network activity"