|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Karl A. Krueger (kkrueger_at_outbox.whoi.edu)
Date: Sun Jan 26 2003 - 12:50:40 CST
Pardon my delurk, but this is very strange worm behavior. We are seeing
100 SQL Worms per second from a single IP address on Telstra. This is
about 10k times the level of activity we are seeing from any other
address.
Anyone here either know anyone at Telstra who can shut this off, or
perhaps at least some explanation of why this worm instance would set
aside its usual randomish behavior and flood us like this?
This is 1/10th of a second of tcpdump, from outside our firewall:
13:34:01.154816 203.50.0.215.2184 > xxx.yyy.46.59.1434: udp 376
13:34:01.160223 203.50.0.215.2184 > xxx.yyy.99.76.1434: udp 376
13:34:01.170387 203.50.0.215.2184 > xxx.yyy.205.52.1434: udp 376
13:34:01.179743 203.50.0.215.2184 > xxx.yyy.55.37.1434: udp 376
13:34:01.184178 203.50.0.215.2184 > xxx.yyy.108.128.1434: udp 376
13:34:01.198594 203.50.0.215.2184 > xxx.yyy.11.30.1434: udp 376
13:34:01.203094 203.50.0.215.2184 > xxx.yyy.64.129.1434: udp 376
13:34:01.207258 203.50.0.215.2184 > xxx.yyy.117.38.1434: udp 376
13:34:01.221870 203.50.0.215.2184 > xxx.yyy.20.162.1434: udp 376
13:34:01.245105 203.50.0.215.2184 > xxx.yyy.29.152.1434: udp 376
13:34:01.250175 203.50.0.215.2184 > xxx.yyy.82.143.1434: udp 376
-- Karl A. Krueger <kkruegerwhoi.edu> Network Security -- Linux/Unix Systems Support -- Etc. Woods Hole Oceanographic Institution
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]