In message <[EMAIL PROTECTED]
>, [EMAIL PROTECTED] writes:
>It seems that we still have some code red attacks coming into the
>IETF 52 network. Does 12.234.20.53 happen to be a machine owned
>by Novell ?
>
>Dec 10 21:57:13 voojagig tcpsuck[1110]: Data from UNKNOWN (12.234.20.53)
>port 4774 to http (port 80)
>Dec 10 21:57:13 voojagig tcpsuck[1110]: 0- 47455420 2f736372 69707473
>2f726f6f GET /scripts/roo
>Dec 10 21:57:13 voojagig tcpsuck[1110]: 16- 742e6578 653f2f63 2b646972
>20485454 t.exe?/c+dir HTT
>Dec 10 21:57:13 voojagig tcpsuck[1110]: 32- 502f312e 300d0a48 6f73743a
>20777777 P/1.0..Host: www
>Dec 10 21:57:13 voojagig tcpsuck[1110]: 48- 0d0a436f 6e6e6e65 6374696f
>6e3a2063 ..Connnection: c
>Dec 10 21:57:13 voojagig tcpsuck[1110]: 64- 6c6f7365 0d0a0d0a
Traceroute suggests it's not local:
traceroute to 12.234.20.53 (12.234.20.53), 30 hops max, 40 byte packets
1 1-200-131-12.bellhead.com (12.131.200.1) 30.054 ms 2.360 ms 2.907 ms
2 12.127.106.65 (12.127.106.65) 2.326 ms 2.304 ms 2.693 ms
3 12.122.2.242 (12.122.2.242) 15.068 ms 14.981 ms 15.101 ms
4 gbr3-p80.sffca.ip.att.net (12.122.2.246) 26.669 ms 17.554 ms 17.598 ms
5 gbr5-p60.sffca.ip.att.net (12.122.5.141) 17.612 ms 17.826 ms 40.427 ms
6 12.122.2.253 (12.122.2.253) 21.136 ms 18.504 ms 20.871 ms
7 12.244.72.209 (12.244.72.209) 49.742 ms 26.994 ms 26.903 ms
8 12.244.67.18 (12.244.67.18) 27.274 ms 27.366 ms 27.263 ms
9 12.244.98.196 (12.244.98.196) 56.088 ms 47.997 ms 29.814 ms
I have, however, seen port scans from at least two different machines
on the conference LAN, including attempted exploitation of known back
doors.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
