In message <[EMAIL PROTECTED] >, [EMAIL PROTECTED] writes: >It seems that we still have some code red attacks coming into the >IETF 52 network. Does 12.234.20.53 happen to be a machine owned >by Novell ? > >Dec 10 21:57:13 voojagig tcpsuck[1110]: Data from UNKNOWN (12.234.20.53) >port 4774 to http (port 80) >Dec 10 21:57:13 voojagig tcpsuck[1110]: 0- 47455420 2f736372 69707473 >2f726f6f GET /scripts/roo >Dec 10 21:57:13 voojagig tcpsuck[1110]: 16- 742e6578 653f2f63 2b646972 >20485454 t.exe?/c+dir HTT >Dec 10 21:57:13 voojagig tcpsuck[1110]: 32- 502f312e 300d0a48 6f73743a >20777777 P/1.0..Host: www >Dec 10 21:57:13 voojagig tcpsuck[1110]: 48- 0d0a436f 6e6e6e65 6374696f >6e3a2063 ..Connnection: c >Dec 10 21:57:13 voojagig tcpsuck[1110]: 64- 6c6f7365 0d0a0d0a
Traceroute suggests it's not local: traceroute to 12.234.20.53 (12.234.20.53), 30 hops max, 40 byte packets 1 1-200-131-12.bellhead.com (12.131.200.1) 30.054 ms 2.360 ms 2.907 ms 2 12.127.106.65 (12.127.106.65) 2.326 ms 2.304 ms 2.693 ms 3 12.122.2.242 (12.122.2.242) 15.068 ms 14.981 ms 15.101 ms 4 gbr3-p80.sffca.ip.att.net (12.122.2.246) 26.669 ms 17.554 ms 17.598 ms 5 gbr5-p60.sffca.ip.att.net (12.122.5.141) 17.612 ms 17.826 ms 40.427 ms 6 12.122.2.253 (12.122.2.253) 21.136 ms 18.504 ms 20.871 ms 7 12.244.72.209 (12.244.72.209) 49.742 ms 26.994 ms 26.903 ms 8 12.244.67.18 (12.244.67.18) 27.274 ms 27.366 ms 27.263 ms 9 12.244.98.196 (12.244.98.196) 56.088 ms 47.997 ms 29.814 ms I have, however, seen port scans from at least two different machines on the conference LAN, including attempted exploitation of known back doors. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com