[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modap Worm Infection and Subsequent Scanning

To: <incidents@xxxxxxxxxxxxxxxxx>
Subject: Re: Modap Worm Infection and Subsequent Scanning
From: Glenn Forbes Fleming Larratt <glratt@xxxxxxxx>
Date: Wed, 25 Sep 2002 23:06:19 -0500 (CDT)
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
Delivery-date: Fri, 27 Sep 2002 05:54:45 +0200
Envelope-to: incidents@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <1032968679.16045.39.camel@xxxxxxxxxxxxx>
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm

A pattern of UDP packets, with incrementing destination ports in the
range 33434-33523, is almost assuredly a traceroute initiated by
host x.y.z.w . If you want to confirm it, compare TTL values of
the packets in question: they should increment by 1 with each
successive UDP port.

Every standard traceroute I've seen, though, has sent three packets
for each (TTL value/UDP destination port) pair. Do I understand
correctly that you only saw one per?

	-g

On 25 Sep 2002, Gordon Chamberlin wrote:

>... There was one very odd scan that has me concerned.
>
> The firewall logged packets going from a different server, not the
> infected one, to 212.82.211.42:
>
> Sep 23 10:57:21 sicily kernel: DROPPING int->ext: IN=eth1 OUT=eth0
> SRC=x.y.z.w DST=212.82.211.42 LEN=38 TOS=0x00 PREC=0x00 TTL=22 ID=27664
> PROTO=UDP SPT=1370 DPT=33501 LEN=18
>
> There are eight of these messages with DPT proceeding sequential from
> 33501 to 33508, inclusive, within 30 seconds.
>
> Questions:
> Was this other host infected with something?  I have searched it but
> been unable to find any traces of hacking.
>
>
> Assuming w.x.y.z hasn't been cracked, how did someone convince my server
> to try to contact 212.82.211.42?
>
>
> Any other insight or advice?
>
>
> Thanks.
>  -Gordon
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt@xxxxxxxx


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Follow-Ups:
- Re: Modap Worm Infection and Subsequent Scanning
  - From: Valdis . Kletnieks

References:
- Modap Worm Infection and Subsequent Scanning
  - From: Gordon Chamberlin

Prev by Date: RE: new IIS worm? (rcp lsass.exe)
Next by Date: Port 11890
Previous by thread: Modap Worm Infection and Subsequent Scanning
Next by thread: Re: Modap Worm Infection and Subsequent Scanning
Index(es):
- Date
- Thread