[Dshield] From 127.0.0.1,80 ??

Will Boege will_boege at i-tech.com
Mon Jan 19 20:07:39 GMT 2004


This seems to be residual effects of Blaster, which I saw a while back.
The explosion of these today, as well as correlated by a poster made me
wonder if some new attack may have just looked like this residual
blaster traffic.  I then went back and looked at the Blaster analysis.
It is entering its DDoS mode on the 16th of Jan after a nice 4 month
break.

This traffic comes when a DNS server resloves windowsupdate.com to
127.0.0.1, the infected systems TCP stack sends a RST on the wire to the
spoofed source address.  The packets I captured do indeed have RST set,
so this seems to be ordinary Blaster garbage.

Sorry I blew up ;)

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Will Boege
Sent: Monday, January 19, 2004 9:10 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] From 127.0.0.1,80 ??



I'm getting the same thing, over 35,000 hits over the weekend.  I'll see
if I can grab some packets to disect.

Source is always 80, dest port seems to be random.

Jan 19 09:02:55 fwall fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:00" duration=0 policy_id=1 service=tcp/port:1830 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1830 Jan 19 09:02:55 fwall
fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:00" duration=0 policy_id=1 service=tcp/port:1361 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1361 Jan 19 09:02:56 fwall
fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:01" duration=0 policy_id=1 service=tcp/port:1961 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1961 Jan 19 09:03:43 fwall
fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:49" duration=0 policy_id=1 service=tcp/port:1818 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1818 Jan 19 09:03:44 fwall
fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:49" duration=0 policy_id=1 service=tcp/port:1967 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1967 Jan 19 09:03:44 fwall
fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:49" duration=0 policy_id=1 service=tcp/port:1717 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1717 Jan 19 09:03:45 fwall
fortknox: NetScreen device_id=fortknox  [No
Name]system-notification-00257(traffic): start_time="2004-01-19
09:02:50" duration=0 policy_id=1 service=tcp/port:1617 proto=6 src
zone=Untrust dst zone=Trust action=Deny sent=0 rcvd=0 src=127.0.0.1
dst=208.42.xx.xx src_port=80 dst_port=1617

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Jonathan C. Webster
Sent: Sunday, January 18, 2004 9:29 PM
To: list at dshield.org
Subject: [Dshield] From 127.0.0.1,80 ??


Hello,
In my last two firewall log files (spanning 16 hours of today) out of
256 entries 101 are from 127.0.0.1,80.  These are all to my ports from
1015 to 1986.  They only hit the same port twice a few 
times and NEVER more than twice.

What does that mean?

I have a dynamic DSL connection on snet.net, currently their
64.252.xxx.xxx subnet.

Jonathan Webster


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list