[NTLUG:Discuss] new worm going around?
Jack Snodgrass
jack at jacksnodgrass.com
Mon Jun 28 12:31:21 CDT 2004
On Mon, 2004-06-28 at 11:20, Kyle Davenport wrote:
> *** Authentication Certificate ***
>
> I just checked my firewall this morning and it's going crazy on port
> 11170/UDP. In fact, 9500 of 10500 blocked and logged accesses came from
> that alone just today. I can't find any information on it online. Anyone?
>
> Kyle
my firewall log has been getting 600-700 entries per day for
the last week or so.... it's 3000 so far today and we're only
half-way through. I wonder what's going on.... none of the virus
sites have any breaking news.
I get a lot of:
Jun 28 12:29:33 Stealth scan (UNPRIV)?: IN=eth1 SRC=195.18.95.92
DST=66.169.125.59 PROTO=TCP DPT=41994 SPT=11920 TTL=109
ACK RST
Jun 28 12:29:37 Stealth scan (UNPRIV)?: IN=eth1 SRC=81.106.227.70
DST=66.169.125.59 PROTO=TCP DPT=41559 SPT=39963 TTL=109
ACK FIN
Jun 28 12:29:40 Stealth scan (UNPRIV)?: IN=eth1 SRC=81.106.227.70
DST=66.169.125.59 PROTO=TCP DPT=41559 SPT=39963 TTL=109
ACK FIN
Jun 28 12:29:46 Stealth scan (UNPRIV)?: IN=eth1 SRC=81.106.227.70
DST=66.169.125.59 PROTO=TCP DPT=41559 SPT=39963 TTL=109
ACK FIN
Jun 28 12:29:58 Stealth scan (UNPRIV)?: IN=eth1 SRC=81.106.227.70
DST=66.169.125.59 PROTO=TCP DPT=41559 SPT=39963 TTL=109
ACK FIN
Jun 28 12:30:19 Stealth scan (UNPRIV)?: IN=eth1 SRC=24.30.93.70
DST=66.169.125.59 PROTO=TCP DPT=42161 SPT=61003 TTL=115
ACK RST
Jun 28 12:30:40 Stealth scan (UNPRIV)?: IN=eth1 SRC=24.30.93.70
DST=66.169.125.59 PROTO=TCP DPT=42161 SPT=61003 TTL=115
ACK RST
type messages....
different hosts... all with DPT=4XXXX SPT=3XXXX or SPT=6XXXX....
wierd.
jack
More information about the Discuss
mailing list