In message
<Pine(_dot_)LNX(_dot_)4(_dot_)33(_dot_)0112110112510(_dot_)1564-100000(_at_)voojagig(_dot_)sae(_dot_)siemens(_dot_)com(_dot_)sg
, a(_dot_)saha(_at_)ACM(_dot_)ORG writes:
It seems that we still have some code red attacks coming into the
IETF 52 network. Does 12.234.20.53 happen to be a machine owned
by Novell ?
Dec 10 21:57:13 voojagig tcpsuck[1110]: Data from UNKNOWN (12.234.20.53)
port 4774 to http (port 80)
Dec 10 21:57:13 voojagig tcpsuck[1110]: 0- 47455420 2f736372 69707473
2f726f6f GET /scripts/roo
Dec 10 21:57:13 voojagig tcpsuck[1110]: 16- 742e6578 653f2f63 2b646972
20485454 t.exe?/c+dir HTT
Dec 10 21:57:13 voojagig tcpsuck[1110]: 32- 502f312e 300d0a48 6f73743a
20777777 P/1.0..Host: www
Dec 10 21:57:13 voojagig tcpsuck[1110]: 48- 0d0a436f 6e6e6e65 6374696f
6e3a2063 ..Connnection: c
Dec 10 21:57:13 voojagig tcpsuck[1110]: 64- 6c6f7365 0d0a0d0a
Traceroute suggests it's not local:
traceroute to 12.234.20.53 (12.234.20.53), 30 hops max, 40 byte packets
1 1-200-131-12.bellhead.com (12.131.200.1) 30.054 ms 2.360 ms 2.907 ms
2 12.127.106.65 (12.127.106.65) 2.326 ms 2.304 ms 2.693 ms
3 12.122.2.242 (12.122.2.242) 15.068 ms 14.981 ms 15.101 ms
4 gbr3-p80.sffca.ip.att.net (12.122.2.246) 26.669 ms 17.554 ms 17.598 ms
5 gbr5-p60.sffca.ip.att.net (12.122.5.141) 17.612 ms 17.826 ms 40.427 ms
6 12.122.2.253 (12.122.2.253) 21.136 ms 18.504 ms 20.871 ms
7 12.244.72.209 (12.244.72.209) 49.742 ms 26.994 ms 26.903 ms
8 12.244.67.18 (12.244.67.18) 27.274 ms 27.366 ms 27.263 ms
9 12.244.98.196 (12.244.98.196) 56.088 ms 47.997 ms 29.814 ms
I have, however, seen port scans from at least two different machines
on the conference LAN, including attempted exploitation of known back
doors.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com