-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 25 January 2003 17:32, Travis Pugh wrote: [snip]
Ditto on the sequential scan well before the actual action, except that mine came on Jan. 19th:
Jan 19 10:59:11 Deny inbound UDP from 67.8.33.179/1 to xxx.xxx.xxx.xxx
I have a similar packet (but only one) from the same host (time is ntp sync'd EST). Jan 20 12:55:47 firewall kernel: Packet log: input - ppp0 PROTO=17 67.8.33.179:1 65.83.153.253:1434 L=29 S=0x00 I=20300 F=0x0000 T=110 (#23)
The scan went across several subnets I manage inside 209.67.0.0 serially. My sources were all from 67.8.33.179, all source port 1. The actual worm propagation began to hit my logs at 00:28:16 EST Jan 25.
My first worm packet- Jan 25 00:32:52 firewall kernel: Packet log: input - ppp0 PROTO=17 131.128.163.118:1631 65.83.153.253:1434 L=404 S=0x00 I=2610 F=0x0000 T=113 (#23) and continued until Jan 25 11:48:44 firewall kernel: Packet log: input - ppp0 PROTO=17 151.99.167.133:30725 65.83.153.253:1434 L=404 S=0x00 I=2 F=0x0000 T=111 (#23) when BS.N apparently shutdown 1434. - -- Redundancy? You can say that again! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php iD8DBQE+Mz9gER3MuHUncBsRAuG3AJ0Xzd+QiDeX6LKHX4frfRF40xJK8gCfUgXw g7uoFXH2N72uwLudo2OuvpI= =Kw/8 -----END PGP SIGNATURE-----