|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Strange domain-udp signature
From: Sudom, Don (dsudom1
wcb.bc.ca)
Date: Tue Jul 15 2003 - 17:41:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I am seeing the following tcpdump signature targeted at our DNS server
and being repeating from hundreds of sources.
I have performed some traceroutes back to a few of the sources and the
hop count is consistent with the ttl.
Note the timing between packets. I don't host the in-addr.arpa PTR
record as well.
Has anyone else seen this activity? Can you tell me if this a tool, a
trojan or some form of a worm?
07/15/2003 13:52:12.254707 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 13:52:22.289706 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 13:52:32.300358 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 1472+ PTR? MyDNSAddr.in-addr.arp
a. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 13:52:42.300299 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 51392+ PTR? MyDNSAddr.in-addr.ar
pa. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 14:23:27.188729 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 14:23:37.193796 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 14:23:47.204725 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 21323+ PTR? MyDNSAddr.in-addr.ar
pa. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 14:23:57.214654 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 844+ PTR? MyDNSAddr.in-addr.arpa
. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 15:31:45.239907 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 15:31:55.246162 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 15:32:05.249764 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 59027+ PTR? MyDNSAddr.in-addr.ar
pa. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 15:32:15.264307 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 41876+ PTR? MyDNSAddr.in-addr.ar
pa. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 15:47:02.351632 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 15:47:12.360245 BadGuy.com > MyDNS.com: icmp: echo request
(DF) (ttl 48, id 0, len 84)
07/15/2003 15:47:22.362137 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 58592+ PTR? MyDNSAddr.in-addr.ar
pa. (45) (DF) (ttl 48, id 0, len 73)
07/15/2003 15:47:32.387080 BadGuy.com.39291 > MyDNS.com.domain: [udp sum
ok] 52705+ PTR? MyDNSAddr.in-addr.ar
pa. (45) (DF) (ttl 48, id 0, len 73)
Regards,
Don
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]