August 19th, 2003, 01:42 PM
Abnormal Port activity (Inbound)
I think this question is more suited to The M$ security, but could be Virus related..
The fire wall here has been blocking ICMP packets at a higher level than normal.. currently 2 per minute(average), normal 1-5 per hour.. currently emminating from inside my ISP's assigned Block's 144.xxx & 203.xxx... This may have nothing to do with the rest of the activity
Thes pings are associated to but not all coinciding with Connection Attempts to Port 2969..
These are mainly from with in Blocks assigned to my ISP BUT.. NOT ALL..
The Source Ports appear to be 1025, 1214, 1217, 3361, 3549,3417, 3209,4144, 18497, 18498
These are consistent with recieved UDP Packets to the same port and from the same ports
The source ports seem to be all over the place, just had smoe new IP's bounce in..24.232.xx.xx & 65.251.xx.xx
Starting to see a pattern.. Approx 3 attempts ..ie 3 udp packets, 3 TCp connect attempts on 2969 from each IP before moveing on..
Thoughts? anyone else seing this traffic..
Had seen Port 80 connection attempts (welchia worm) earlier this evening.. none in the past hour.... time now 12:50UTC
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
August 19th, 2003, 02:20 PM
ICMP: Nachi worm, AKA Welchia:
The ICMP could also be the result of someone doing a port scan, depending on how you have your network/servers setup (they could be sending out an ICMP port unreachable, type 3, code 3. What ICMP codes are you seeing? According to SANS, the ICMP type with Nachi is 8,0.
According to snort.org, the port 2969 ( http://www.snort.org/ports.html?port=2969 )
is essp. I really don't know what this is...did find this (don't have any idea if this is it or not):
From Symantec (http://securityresponse.symantec.com....welchia.worm.)
Which doesn't really match the pattern either...
# Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.
# Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.
As to why you are seeing it, you got me...maybe some more detailed packet captures would be helpful (make sure to sanitize).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
August 19th, 2003, 04:52 PM
yep im getting a massive amount of icmp packets, 500+ per hr at least i thinks, mostly from 213.xxx.xxx.xxx
im pretty glad im not on a xp/2000 box really, there suffering a bit at the moment!