Re: Tracing where it started
Graphs of our observances are available at: http://people.ists.dartmouth.edu/~gbakos/sapphire Here's the earliest port 1434 probe that I find. Localtimes are EST. Pay no attention to the port 123 business; I like to include ntp with my dumps to facilitate correlation: [root@bunta hpot]# tcpslice 1041153985 1041154648 ../tcpdump.1041060689 | tcpdump -ttttnr - port 1434 or port 123 or port 53 12/29/2002 09:26:25.248240 140.162.8.25.123 > 64.222.84.217.123: v4 server strat 2 poll 10 prec -16 (DF) [tos 0x10] 12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain] And the dump: 12/29/2002 09:37:23.203055 216.150.155.11.53 > 64.222.84.217.1434: [|domain] 4500 0021 c8ef 0000 7b11 6d83 d896 9b0b 40de 54d9 0035 059a 000d eeab 0200 0000 00 I ran through packet logs from several networks starting Dec 1. This is the earliest I can find. As indicated above, there was certainlny no prior dns request. Just for poops & snickers, let's have a peek at 216.150.155.11, shall we? NetRange: 216.150.150.0 - 216.150.157.255 CIDR: 216.150.150.0/23, 216.150.152.0/22, 216.150.156.0/23 NetName: EASYCGI-150-157 NetHandle: NET-216-150-150-0-1 Parent: NET-216-150-128-0-1 NetType: Reassigned NameServer: NS1.EASY-CGI.COM NameServer: NS2.EASY-CGI.COM Comment: RegDate: 2002-06-19 Updated: 2002-08-08 [gbakos@lt1 gbakos]$ nc 216.150.155.11 80 GET / HTTP/1.0 HTTP/1.0 404 Not Found Server: Microsoft-IIS/5.0 Date: Mon, 27 Jan 2003 03:38:32 GMT Content-Type: text/html Content-Length: 111 Age: 440 X-Cache: HIT from bunta.alpinista.dyndns.org Connection: close <html><head><title>Site Not Found</title></head> <body>No web site is configured at this address.</body></html> Why doesn't this surprise me? Anyone want to run this guy down and apply the "sucker rod" section of syslogd(8) ? On Sun, 26 Jan 2003 09:11:11 -0800 John Sage <jsage@finchhaven.com> wrote:
Tom et al:
On Sat, Jan 25, 2003 at 09:59:42PM -0500, tom glaab wrote:
Johannes Ullrich wrote:
wow... excellent catch. here is some data I have:
Hmmm...
I first see 67.8.33.179 on 20 January:
<snippage>
But found my first (and only, prior to 20 Jan) hits on udp/1434 much earlier:
Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 12.10.144.249:53 x.y.z.83:1434 L=33 S=0x00 I=38557 F=0x0000 T=108 (#1303) Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 12.10.144.249:53 x.y.z.84:1434 L=33 S=0x00 I=63999 F=0x0000 T=108 (#1303) Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 12.10.144.249:53 x.y.z.85:1434 L=33 S=0x00 I=12853 F=0x0000 T=108 (#1303) Dec 29 06:32:36 chopper kernel: Packet log: input DENY eth0 PROTO=17 12.10.144.249:53 x.y.z.86:1434 L=33 S=0x00 I=61180 F=0x0000 T=108 (#1303)
I'm betting the dlen=33 is this:
Generated by ACID v0.9.6b21 on Sun January 26, 2003 08:53:59 ------------------------------------------------------------------------------ #(458 - 93) [2002-10-16 13:16:44] UDP inbound to 1434 MS SQL monitor IPv4: 217.226.25.204 -> 12.82.130.126 hlen=5 TOS=0 dlen=33 ID=1541 flags=0 offset=0 TTL=115 chksum=48968 UDP: port=53 -> dport: 1434 len=13 Payload: length = 5
000 : 02 00 00 00 00 ..... ------------------------------------------------------------------------------ #(524 - 103) [2002-11-20 01:03:39] UDP inbound to 1434 MS SQL monitor IPv4: 80.128.175.135 -> 12.82.141.35 hlen=5 TOS=0 dlen=33 ID=57947 flags=0 offset=0 TTL=116 chksum=51955 UDP: port=53 -> dport: 1434 len=13 Payload: length = 5
000 : 02 00 00 00 00 ..... ------------------------------------------------------------------------------
This is all I've got with src port = 53 AND dst port = 1434
- John -- Has the preparation of your heart been ready? Almost, calm down.
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos@ists.dartmouth.edu voice 603-646-0665 fax 603-646-0666 Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
participants (1)
-
George Bakos