ietf
[Top] [All Lists]

Re: Code Red still at IETF 52 ?

2001-12-10 11:30:03
In message 
<Pine(_dot_)LNX(_dot_)4(_dot_)33(_dot_)0112110112510(_dot_)1564-100000(_at_)voojagig(_dot_)sae(_dot_)siemens(_dot_)com(_dot_)sg
, a(_dot_)saha(_at_)ACM(_dot_)ORG writes:
It seems that we still have some code red attacks coming into the
IETF 52 network.  Does 12.234.20.53 happen to be a machine owned
by Novell ?

Dec 10 21:57:13 voojagig tcpsuck[1110]: Data from UNKNOWN (12.234.20.53)
port 4774 to http (port 80)
Dec 10 21:57:13 voojagig tcpsuck[1110]:    0- 47455420 2f736372 69707473
2f726f6f     GET /scripts/roo
Dec 10 21:57:13 voojagig tcpsuck[1110]:   16- 742e6578 653f2f63 2b646972
20485454     t.exe?/c+dir HTT
Dec 10 21:57:13 voojagig tcpsuck[1110]:   32- 502f312e 300d0a48 6f73743a
20777777     P/1.0..Host: www
Dec 10 21:57:13 voojagig tcpsuck[1110]:   48- 0d0a436f 6e6e6e65 6374696f
6e3a2063     ..Connnection: c
Dec 10 21:57:13 voojagig tcpsuck[1110]:   64- 6c6f7365 0d0a0d0a

Traceroute suggests it's not local:

traceroute to 12.234.20.53 (12.234.20.53), 30 hops max, 40 byte packets
 1  1-200-131-12.bellhead.com (12.131.200.1)  30.054 ms  2.360 ms  2.907 ms
 2  12.127.106.65 (12.127.106.65)  2.326 ms  2.304 ms  2.693 ms
 3  12.122.2.242 (12.122.2.242)  15.068 ms  14.981 ms  15.101 ms
 4  gbr3-p80.sffca.ip.att.net (12.122.2.246)  26.669 ms  17.554 ms  17.598 ms
 5  gbr5-p60.sffca.ip.att.net (12.122.5.141)  17.612 ms  17.826 ms  40.427 ms
 6  12.122.2.253 (12.122.2.253)  21.136 ms  18.504 ms  20.871 ms
 7  12.244.72.209 (12.244.72.209)  49.742 ms  26.994 ms  26.903 ms
 8  12.244.67.18 (12.244.67.18)  27.274 ms  27.366 ms  27.263 ms
 9  12.244.98.196 (12.244.98.196)  56.088 ms  47.997 ms  29.814 ms

I have, however, seen port scans from at least two different machines 
on the conference LAN, including attempted exploitation of known back 
doors.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com




<Prev in Thread] Current Thread [Next in Thread>