[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modap Worm Infection and Subsequent Scanning



A pattern of UDP packets, with incrementing destination ports in the
range 33434-33523, is almost assuredly a traceroute initiated by
host x.y.z.w . If you want to confirm it, compare TTL values of
the packets in question: they should increment by 1 with each
successive UDP port.

Every standard traceroute I've seen, though, has sent three packets
for each (TTL value/UDP destination port) pair. Do I understand
correctly that you only saw one per?

	-g

On 25 Sep 2002, Gordon Chamberlin wrote:

>... There was one very odd scan that has me concerned.
>
> The firewall logged packets going from a different server, not the
> infected one, to 212.82.211.42:
>
> Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0
> SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664
> PROTO=UDP SPT=1370 DPT=33501 LEN=18
>
> There are eight of these messages with DPT proceeding sequential from
> 33501 to 33508, inclusive, within 30 seconds.
>
> Questions:
> Was this other host infected with something?  I have searched it but
> been unable to find any traces of hacking.
>
>
> Assuming w.x.y.z hasn't been cracked, how did someone convince my server
> to try to contact 212.82.211.42?
>
>
> Any other insight or advice?
>
>
> Thanks.
>  -Gordon
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt@xxxxxxxx


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com