[Intrusions] odd worm (?) activity?

Chris Norton kicktd_list at hotmail.com
Sat Sep 11 00:48:47 GMT 2004 

Just wondering if anyone has noticed any activity like this? This is all from the same IP address:

[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111xxx.:1450 -> 68.212.111.xxx:135, flags: SYN , seq:159470950 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1452 -> 68.212.111.xxx:1025, flags: SYN , seq:159504595 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1453 -> 68.212.111.xxx:445, flags: SYN , seq:159547845 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1454 -> 68.212.111.xxxx:6129, flags: SYN , seq:159599147 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxxx:1455 -> 68.212.111.xxx:139, flags: SYN , seq:159634329 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1456 -> 68.212.111.xxx:3410, flags: SYN , seq:159688821 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1457 -> 68.212.111.xxx:5554, flags: SYN , seq:159735284 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1458 -> 68.212.111.xxx:1433, flags: SYN , seq:159782567 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:35] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1459 -> 68.212.111.xxx:5000, flags: SYN , seq:159844021 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:36] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1480 -> 68.212.111.xxx:80, flags: SYN , seq:161072104 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1450 -> 68.212.111.xxx:135, flags: SYN , seq:159470950 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1454 -> 68.212.111.xxx:6129, flags: SYN , seq:159599147 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1457 -> 68.212.111.xxx:5554, flags: SYN , seq:159735284 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1452 -> 68.212.111.xxx:1025, flags: SYN , seq:159504595 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1455 -> 68.212.111.xxx:139, flags: SYN , seq:159634329 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1458 -> 68.212.111.xxx:1433, flags: SYN , seq:159782567 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1453 -> 68.212.111.xxx:445, flags: SYN , seq:159547845 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1456 -> 68.212.111.xxx:3410, flags: SYN , seq:159688821 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1459 -> 68.212.111.xxx:5000, flags: SYN , seq:159844021 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:38] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1480 -> 68.212.111.xxx:80, flags: SYN , seq:161072104 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1459 -> 68.212.111.xxx:5000, flags: SYN , seq:159844021 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1458 -> 68.212.111.xxx:1433, flags: SYN , seq:159782567 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1455 -> 68.212.111.xxx:139, flags: SYN , seq:159634329 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1452 -> 68.212.111.xxx:1025, flags: SYN , seq:159504595 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1457 -> 68.212.111.xxx:5554, flags: SYN , seq:159735284 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1454 -> 68.212.111.xxx:6129, flags: SYN , seq:159599147 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1450 -> 68.212.111.xxx:135, flags: SYN , seq:159470950 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1456 -> 68.212.111.xxx:3410, flags: SYN , seq:159688821 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1453 -> 68.212.111.xxx:445, flags: SYN , seq:159547845 ack:0, win:8760, tcplen:0
[10/Sep/2004 18:35:44] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1480 -> 68.212.111.xxx:80, flags: SYN , seq:161072104 ack:0, win:8760, tcplen:0
[10/Sep/2004 19:36:23] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1499 -> 68.212.111.xxx:135, flags: SYN , seq:2401699874 ack:0, win:8760, tcplen:0
[10/Sep/2004 19:36:29] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1499 -> 68.212.111.xxx:135, flags: SYN , seq:2401699874 ack:0, win:8760, tcplen:0
[10/Sep/2004 19:36:32] DROP "Default traffic rule" packet from Dial-Up, proto:TCP, len:48, ip/port:68.212.111.xxx:1499 -> 68.212.111.xxx:135, flags: SYN , seq:2401699874 ack:0, win:8760, tcplen:0
<<snip>>

I would have just thought regular worm activity if the ports 80, 1433, and 6129 wasn't tossed in the mix. But this isn't a port scan either I don't believe as the box continues to check port 135 on my computer. I haven't seen a scan like this from any other IP except this one. Anyone have any clues they might can add to this?

--
Chris Norton 
UAT Student Software Engineering Network Defense

More information about the Intrusions mailing list