UPDATE:
I have isolated and confirmed the traffic source responsible for the spoofed traffic on my backbone. After turning off the filter allowing port 3389 access, I spotted a lone system attempting to gain access. The traffic was a 3 packet burst to port 3389 and ceased after no response returned. I then traced the source and spoke to the hosting ISP. They confirmed my suspicions this system was in fact the source and "probably compromised" with an sql worm running on ports 1433 and 3389 and that this system was also sending packets to multiple networks at the earlier times in question (exactly when the spoofed traffic occurred). They have terminated service to that customer and are reporting it for investigation. Those of you with 3389 open; I STRONGLY suggest closing it immediately! This is probably a new vulnerability in Terminal Services. FYI: The spoofed traffic has not returned since closing port 3389. Thanks to everyone for offering suggestions and input! Regards, Danny H. Cox Manager, Information Technology Operations Yield Dynamics, Inc. (408) 773-7822 -----Original Message----- From: Steve Leach [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 2:29 PM To: Cox, Danny H. Subject: [Fwd: Re: [gb-users] Syslogger - that works?] Cox, Danny H. wrote: Steve, Yes, I have tried monitoring via ethereal at several different points on the network - no luck. My backbone is far too tightly configured for that, and the traffic seems scheduled. Also, the traffic was (originally) totally random in Source IP (spoofed) and the latest batch was actually using a source and destination IP class of 172.24, which as you know is the protected network class assigned by iana. The traffic is very tightly directed and without any real pattern so far. If I had not scanned everything in real-time and then online, I would say it was a Trojan or virus. Danny -----Original Message----- From: Steve Leach [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 1:18 PM To: Cox, Danny H. Subject: Re: [gb-users] Syslogger - that works? Cox, Danny H. wrote: Old story new cover... The email below is in reference to my much earlier request for a "good" syslogger. Something I still need. I would also like to see GTA figure a way to capture the MAC address as well as the other data. My reason is simple - see the log data roughly 9 lines down! Something is managing to get behind the firewall and initiate this crap. I have scanned all systems via real-time and using Online and all computers are clean. If I was any more clamped down, I would not be able to breathe. VPN appears clean, DMZ is clean. So you tell me where this crap is originating from! The GTA ver 3.4.0 (Flash) logs are worthless for this one because they do not provide a MAC address. Danny <LOG DATA> ALARM NO: 1 DATE: Thu 2004-01-22 18:55:22 GMT INTERFACE: Protected (xl0) INTERFACE TYPE: Protected ALARM TYPE: Possible spoof IP PACKET: TCP [198.202.130.170/1239]-->[64.35.110.11/80] l=0 f=0x2 [198.202.130.170/1239]-->[64.35.110.11/http] DETAILED DESCRIPTION: Return interface for IP packet is different than arrival. <LOG DATA END> John Stokes ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/ ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
