[Dshield] Possible variant of Blaster/Nachi/Welchia?

Deb Hale haled at pionet.net
Fri Sep 26 15:58:57 GMT 2003


http://www.xsecurity.ws/books/Building-Internet-Firewalls/ch08_13.html


According to this write up - port 123 is used for network time protocol.  It
shows a 123 to 123 as a Query or response between two servers.  My question
is, is your network syncing with the spoofed IP and if it is, why?  



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Jeff Kell
Sent: Friday, September 26, 2003 10:25 AM
To: Incidents; General DShield Discussion List
Subject: [Dshield] Possible variant of Blaster/Nachi/Welchia?


I have seen some STRANGE traffic on our dorms this morning.  The dorms 
are all on a private network 172.18.0.0.  I have hosts (10 so far) that 
are doing this:

    spoofed 172.x.x.x:123 UDP --> random 172.x.x.x:123
same spoof 172.x.x.x ICMP --> another random 172.x.x.x
same spoof 172.x.x.x ICMP --> another random 172.x.x.x

About once or twice a minute the ICMPs continue, but the UDP isn't repeated.

It appears to be spreading (new machines showing up doing the same 
thing).  Any ideas, clues, ring any bells?

Jeff



_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list