jenlion
IS-IT--Management
- Nov 13, 2001
- 215
I also posted in the Watchguard section, not a lot of activity there though, hope maybe someone can shed some light here.
I checked the logs of a client I hadn't visited in a long time and found some interesting patterns. Went back and ran the whole year (all 300MB of log) and some strange things have shown up.
From IP addresses all over the globe, this client gets hit at exactly the same time, down to the second. Three high random ports (different ones for each different IP address hitting it), two DNS tries, over and over. It also claims to be hitting the filtered-http rule, rather than blocked by default. I don't spend a lot of time on this, so I don't know why. This has my attention though. Here are some examples:
Denied Service, incoming, 1/23/2003 9:58:44 AM, 66.28.255.130, (MyClient'sIP), 6336/"Denied service Filtered-HTTP"
Denied Service, incoming, 1/23/2003 9:58:54 AM, 63.218.7.130, (MyClient'sIP), 1871/"Denied service Filtered-HTTP"
Denied Service, incoming, 1/23/2003 9:58:54 AM, 213.61.6.2, (MyClient'sIP), 46260/"Denied service Filtered-HTTP"
Everything's the same except the source IP and the port number. Also note the 255 in that first address. Spoofed? I don't know. I've got at least a dozen, probably more, sources that do this at the same time, from january through July with a break from may 16 - july 18. They mostly seem to be legitimate IPs. Most respond to pings, though not all. They don't seem to have anything obvious in common (ie, all IIS or something), though I'm not done looking yet.
There are hundreds of records from each IP that hits the box. Some of them pick up later -- for example, one starts in the middle of February, rather than Jan 23. Looks like zombies, but I don't know what they're doing, or how they get things down to the second every single time. I don't know a lot about this stuff, but I'm learning. I've dumped it all into Access so it's easy to query. Does anyone recognize this??
Thanks
I checked the logs of a client I hadn't visited in a long time and found some interesting patterns. Went back and ran the whole year (all 300MB of log) and some strange things have shown up.
From IP addresses all over the globe, this client gets hit at exactly the same time, down to the second. Three high random ports (different ones for each different IP address hitting it), two DNS tries, over and over. It also claims to be hitting the filtered-http rule, rather than blocked by default. I don't spend a lot of time on this, so I don't know why. This has my attention though. Here are some examples:
Denied Service, incoming, 1/23/2003 9:58:44 AM, 66.28.255.130, (MyClient'sIP), 6336/"Denied service Filtered-HTTP"
Denied Service, incoming, 1/23/2003 9:58:54 AM, 63.218.7.130, (MyClient'sIP), 1871/"Denied service Filtered-HTTP"
Denied Service, incoming, 1/23/2003 9:58:54 AM, 213.61.6.2, (MyClient'sIP), 46260/"Denied service Filtered-HTTP"
Everything's the same except the source IP and the port number. Also note the 255 in that first address. Spoofed? I don't know. I've got at least a dozen, probably more, sources that do this at the same time, from january through July with a break from may 16 - july 18. They mostly seem to be legitimate IPs. Most respond to pings, though not all. They don't seem to have anything obvious in common (ie, all IIS or something), though I'm not done looking yet.
There are hundreds of records from each IP that hits the box. Some of them pick up later -- for example, one starts in the middle of February, rather than Jan 23. Looks like zombies, but I don't know what they're doing, or how they get things down to the second every single time. I don't know a lot about this stuff, but I'm learning. I've dumped it all into Access so it's easy to query. Does anyone recognize this??
Thanks