* Clayton Fiske (clay@bloomcounty.org) [030125 12:55] writeth:
On Sat, Jan 25, 2003 at 06:58:46AM -0500, Phil Rosenthal wrote:
It might be interesting if some people were to post when they received their first attack packet, and where it came from, if they happened to be logging.
Here is the first packet we logged: Jan 25 00:29:37 EST 216.66.11.120
Interestingly, looking through my logs for UDP 1434, I saw a sequential scan of my subnet like so:
Jan 16 08:15:51 206.176.210.74,53 -> x.x.x.1,1434 PR udp len 20 33 IN
I'm not sure that going back that far is going to offer anything conclusive, as it could have been any number of scanners looking for vulnerabilities. Looking at my logs back to the 19th, I have isolated hits on the 19th and 23rd. However, they really started to come in force at 22:29:39 MDT, two seconds after Clayton's. My first attempt came from an IP owned by Level 3 Comm. Jan 23 02:43:44 c6509-core 10829487: 47w0d: %SEC-6-IPACCESSLOGP: list 130 denied udp 192.41.65.170(48962) -> 166.70.10.63(1434), 1 packet Jan 24 22:29:39 c6509-core 10966964: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 65.57.250.28(1210) -> 204.228.150.9(1434), 1 packet Jan 24 22:29:44 border 7577864: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 129.219.122.204(1170) -> 204.228.132.100(1434), 1 packet Jan 24 22:29:50 border 7577865: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 212.67.198.3(1035) -> 166.70.22.47(1434), 1 packet Jan 24 22:29:52 xmission-paix 425068: 7w0d: %SEC-6-IPACCESSLOGP: list 100 denied udp 61.103.121.140(3546) -> 166.70.22.87(1434), 1 packet Jan 24 22:29:52 border 7577868: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.57.250.28(1210) -> 204.228.132.18(1434), 1 packet Jan 24 22:29:55 c6509-core 10966977: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 61.103.121.140(3546) -> 166.70.10.8(1434), 1 packet Jan 24 22:29:57 c6509-core 10966979: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 12.24.139.231(3315) -> 204.228.140.81(1434), 1 packet Jan 24 22:29:58 c6509-core 10966980: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 140.115.113.252(3780) -> 207.135.133.228(1434), 1 packet Jan 24 22:29:59 c6509-core 10966981: 47w1d: %SEC-6-IPACCESSLOGP: list 130 denied udp 17.193.12.215(3117) -> 207.135.155.209(1434), 1 packet Jan 24 22:30:00 border 7577873: 30w2d: %SEC-6-IPACCESSLOGP: list 100 denied udp 209.15.147.225(4543) -> 204.228.133.186(1434), 1 packet