Date/Time :2007-03-12 21:07:21
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: xxx.xxx.xxx.xxx
Ports: 54021, 50437, 50693, 51205, 51461, 59397, 53253, 47877, 48645, 53765, 50949, 54277, 60421, 53509, 59909, 51973, 52229, 47365, 47621, 51717, 49157, 48389, 52997, 62213, 57349, 0, 0, 2626, 0, 0, 0, 40313, 6744, 0, 0, 43458, 30, 0, 0, 65535, 65535, 24, 0, 4096, 0, 1, 0, 0, 0, 2624
The attacker has been temporarily blocked
Date/Time :2007-03-12 17:52:32
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 200.117.25.111, Port = 3706)
Protocol: TCP Incoming
Source: 200.117.25.111:16539
Destination: 192.168.1.100:3706
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12
Date/Time :2007-03-12 16:27:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxxx.xxx.xxx.xxx, Port = 2769)
Protocol: UDP Incoming
Source: xxx.xxx.xxx.xxx:dns(53)
Destination: 192.168.1.100:2769
Reason: Network Control Rule ID = 12
Date/Time :2007-03-12 17:52:32
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 200.117.25.111, Port = 3706)
Protocol: TCP Incoming
Source: 200.117.25.111:16539
Destination: 192.168.1.100:3706
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12
Date/Time :2007-03-12 16:27:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxx.xxx.xxx.xxx, Port = 2769)
Protocol: UDP Incoming
Source: xxx.xxx.xxx.xxx:dns(53)
Destination: 192.168.1.100:2769
Reason: Network Control Rule ID = 12
xxx.xxx.xxx.xxx=isp dns server address
Date/Time :2007-03-12 16:27:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 63.245.209.21, Port = 2768)
Protocol: TCP Incoming
Source: 63.245.209.21:http(80)
Destination: 192.168.1.100:2768
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12
Date/Time :2007-03-12 16:27:14
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 66.102.7.99, Port = 2766)
Protocol: TCP Incoming
Source: 66.102.7.99:http(80)
Destination: 192.168.1.100:2766
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12
In the attackers’ world, this port is usually used by Trojan.W32.hllw.deadhat.b(2766)
Date/Time :2007-03-12 16:27:14
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxx.xxx.xxx.xxx, Port = 2769)
Protocol: UDP Incoming
Source: xxx.xxx.xxx.xxx:dns(53)
Destination: 192.168.1.100:2769
Reason: Network Control Rule ID = 12
xxx.xxx.xxx.xxx = isp dns server
Finishing up for the night thought I would scan the logs (I always start from the earliest entry). Usually it’s mostly icmp unreachables (utorrent ) and most of tonights looked as if it would be the same. Then noticed these ip entrys with low port numbers , utorrent has a high number. The closer I looked the more interesting it got.
(V)