More oddness seen by my firewall

David Wolfskill david at catwhisker.org
Wed Sep 3 04:55:31 PDT 2003


I noticed some odd-looking (blocked) packets intended for 17300/tcp; the
frequency seems to have increased fairly suddenly recently.

In the following, I have edited the entries to shorten them, and thus --
I hope! -- make seeing patterns a little easier.  I replaced
"63.193.123.122" by "me"; I elided the " in via dc0" from the ends of
each line.  I also elided the rule number (20000), since that didn't
seem to be especially relevant.  My intent is not to hide the information
from y'all, but to faciitate some cooperation within our community:

bunrab(4.9-P)[18] sudo grep ':17300' /var/log/security
Aug 27 09:40:00 janus /kernel: ipfw: Deny TCP 68.62.63.245:3840 me:17300
Aug 27 10:32:05 janus /kernel: ipfw: Deny TCP 24.25.150.193:3841 me:17300
Aug 27 11:38:27 janus /kernel: ipfw: Deny TCP 172.137.205.179:3682 me:17300
Aug 27 22:33:39 janus /kernel: ipfw: Deny TCP 63.242.140.122:1119 me:17300
Aug 28 08:12:16 janus /kernel: ipfw: Deny TCP 68.71.63.171:4475 me:17300
Aug 28 09:19:33 janus /kernel: ipfw: Deny TCP 68.71.63.171:4487 me:17300
Aug 28 18:52:39 janus /kernel: ipfw: Deny TCP 68.119.151.47:2060 me:17300
Aug 29 17:16:52 janus /kernel: ipfw: Deny TCP 68.71.63.171:4283 me:17300
Sep  1 03:35:39 janus /kernel: ipfw: Deny TCP 67.112.37.165:4571 me:17300
Sep  1 11:55:43 janus /kernel: ipfw: Deny TCP 130.13.101.34:4150 me:17300
Sep  2 06:06:41 janus /kernel: ipfw: Deny TCP 67.74.73.228:4153 me:17300
Sep  2 06:06:50 janus /kernel: ipfw: Deny TCP 81.96.174.145:3545 me:17300
Sep  2 06:07:14 janus /kernel: ipfw: Deny TCP 80.135.220.136:3300 me:17300
Sep  2 06:07:43 janus /kernel: ipfw: Deny TCP 80.13.173.25:1316 me:17300
Sep  2 06:55:22 janus /kernel: ipfw: Deny TCP 68.214.99.194:50216 me:17300
Sep  2 07:21:23 janus /kernel: ipfw: Deny TCP 200.28.42.232:4206 me:17300
Sep  2 08:32:45 janus /kernel: ipfw: Deny TCP 217.228.74.31:4519 me:17300
Sep  2 08:33:35 janus /kernel: ipfw: Deny TCP 217.236.90.176:3499 me:17300
Sep  2 09:15:55 janus /kernel: ipfw: Deny TCP 200.74.144.73:1897 me:17300
Sep  2 09:45:03 janus /kernel: ipfw: Deny TCP 217.98.162.102:3924 me:17300
Sep  2 09:57:29 janus /kernel: ipfw: Deny TCP 67.122.191.205:3611 me:17300
Sep  2 10:13:58 janus /kernel: ipfw: Deny TCP 212.194.140.70:4037 me:17300
Sep  2 10:32:31 janus /kernel: ipfw: Deny TCP 213.96.224.225:3301 me:17300
Sep  2 10:49:08 janus /kernel: ipfw: Deny TCP 12.243.249.75:4552 me:17300
Sep  2 11:51:46 janus /kernel: ipfw: Deny TCP 213.13.234.76:4306 me:17300
Sep  2 12:02:14 janus /kernel: ipfw: Deny TCP 217.81.28.62:1724 me:17300
Sep  2 13:19:50 janus /kernel: ipfw: Deny TCP 81.98.115.72:2302 me:17300
Sep  2 13:24:21 janus /kernel: ipfw: Deny TCP 65.94.221.120:3093 me:17300
Sep  2 14:29:26 janus /kernel: ipfw: Deny TCP 80.8.84.96:3572 me:17300
Sep  2 19:30:27 janus /kernel: ipfw: Deny TCP 80.49.1.147:4452 me:17300
Sep  3 02:11:19 janus /kernel: ipfw: Deny TCP 24.70.194.113:4928 me:17300
bunrab(4.9-P)[19] foreach h ( `sudo grep ':17300' /var/log/security | sed -e 's/^.* TCP //' -e 's/:.*$//'` )
foreach? host $h
foreach? end
245.63.62.68.IN-ADDR.ARPA domain name pointer pcp03161516pcs.flint01.mi.comcast.net
193.150.25.24.IN-ADDR.ARPA domain name pointer alb-24-25-150-193.nycap.rr.com
179.205.137.172.IN-ADDR.ARPA domain name pointer AC89CDB3.ipt.aol.com
122.140.242.63.IN-ADDR.ARPA domain name pointer 122.mug140.dtrt.sflmi01r1.dsl.att.net
171.63.71.68.IN-ADDR.ARPA domain name pointer co-colspgs-u6-c6b-171.clspco.adelphia.net
171.63.71.68.IN-ADDR.ARPA domain name pointer co-colspgs-u6-c6b-171.clspco.adelphia.net
47.151.119.68.IN-ADDR.ARPA domain name pointer ip-wv-68-119-151-047.charterwv.net
171.63.71.68.IN-ADDR.ARPA domain name pointer co-colspgs-u6-c6b-171.clspco.adelphia.net
165.37.112.67.IN-ADDR.ARPA domain name pointer adsl-67-112-37-165.dsl.lsan03.pacbell.net
34.101.13.130.IN-ADDR.ARPA domain name pointer vdsl-130-13-101-34.phnx.uswest.net
228.73.74.67.IN-ADDR.ARPA domain name pointer dialup-67.74.73.228.Dial1.Philadelphia1.Level3.net
145.174.96.81.IN-ADDR.ARPA domain name pointer pc1-mfld3-6-cust145.nott.cable.ntl.com
136.220.135.80.IN-ADDR.ARPA domain name pointer p5087DC88.dip.t-dialin.net
25.173.13.80.IN-ADDR.ARPA domain name pointer APlessis-Bouchard-103-1-3-25.w80-13.abo.wanadoo.fr
194.99.214.68.IN-ADDR.ARPA domain name pointer adsl-214-99-194.gnv.bellsouth.net
232.42.28.200.IN-ADDR.ARPA domain name pointer 232-42-28.dial.terra.cl
31.74.228.217.IN-ADDR.ARPA domain name pointer pD9E44A1F.dip.t-dialin.net
176.90.236.217.IN-ADDR.ARPA domain name pointer pD9EC5AB0.dip.t-dialin.net
Host not found.
102.162.98.217.IN-ADDR.ARPA domain name pointer pa102.zbaszyn.sdi.tpnet.pl
205.191.122.67.IN-ADDR.ARPA domain name pointer adsl-67-122-191-205.dsl.lsan03.pacbell.net
205.191.122.67.IN-ADDR.ARPA domain name pointer adsl-67-122-191-205.dsl.pltn13.pacbell.net
70.140.194.212.IN-ADDR.ARPA domain name pointer f07v-9-70.d1.club-internet.fr
225.224.96.213.IN-ADDR.ARPA domain name pointer 225.Red-213-96-224.pooles.rima-tde.net
75.249.243.12.IN-ADDR.ARPA domain name pointer 12-243-249-75.client.attbi.com
Host not found.
62.28.81.217.IN-ADDR.ARPA domain name pointer pD9511C3E.dip.t-dialin.net
72.115.98.81.IN-ADDR.ARPA domain name pointer pc3-rdng1-3-cust72.winn.cable.ntl.com
120.221.94.65.IN-ADDR.ARPA domain name pointer MTL-HSE-ppp200072.qc.sympatico.ca
96.84.8.80.IN-ADDR.ARPA domain name pointer ca-bordeaux-12-96.w80-8.abo.wanadoo.fr
147.1.49.80.IN-ADDR.ARPA domain name pointer pb147.mielec.sdi.tpnet.pl
113.194.70.24.IN-ADDR.ARPA domain name pointer h24-70-194-113.ok.shawcable.net
bunrab(4.9-P)[20] 

I'm not sure what to make of it yet... but that reminds me:  I have been
seeing a lot of HTTP requests against http://www.catwhisker.org/ that
just get the root page, and they all look fairly similar; here's a
(small!) excerpt:

203.232.249.65 - - [02/Sep/2003:00:04:03 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
208.206.232.111 - - [02/Sep/2003:00:07:43 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
64.170.193.211 - - [02/Sep/2003:00:17:40 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
68.121.123.211 - - [02/Sep/2003:00:24:28 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
61.121.84.33 - - [02/Sep/2003:00:25:01 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
68.74.69.31 - - [02/Sep/2003:00:26:24 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
62.13.174.12 - - [02/Sep/2003:00:29:11 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
68.22.50.9 - - [02/Sep/2003:00:38:40 -0700] "GET / HTTP/1.1" 200 1016 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"


I'm fairly sure that this is from the recent worm/virus/whatever -- this
seems to have started between 10 - 20 days ago or so.

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
If you want true virus-protection for your PC, install a non-Microsoft OS
on it.  Plausible candidates include FreeBSD, Linux, NetBSD, OpenBSD, and
Solaris (in alphabetical order).



More information about the Baylisa mailing list