Incident 02-19-02 05:47am

This stuff has become *so* common since the first Code Red worm incidents beginning in July of 2001.

Add to that the Nimda worm, starting about September 18, 2001, and probes to tcp:80 have become so common as to have become background noise: sure, the probes are potentially malicious to unpatched/poorly maintained Window$ boxes, but the relentless drizzle of probes itself has become something too easily ignored...

I've often wondered if some of these are actually deliberate probes, rather than the spontaneous emissions of compromised Window$ boxes.

Here's a pretty typical example, this one's from a university down in Mexico:

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb 19 05:47:22 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP}
 148.204.4.1:3681 -> 12.82.133.142:80
Feb 19 05:47:31 greatwall last message repeated 2 times


Feb 19 05:47:22 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 148.204.4.1:3681 12.82.133.142:80
 L=48 S=0x00 I=56890 F=0x4000 T=111 SYN (#64)
Feb 19 05:47:26 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 148.204.4.1:3681 12.82.133.142:80
 L=48 S=0x00 I=56983 F=0x4000 T=111 SYN (#64)
Feb 19 05:47:31 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 148.204.4.1:3681 12.82.133.142:80
 L=48 S=0x00 I=57151 F=0x4000 T=111 SYN (#64)


Tue Feb 19 05:47:22 2002 148.204.4.1 [18 hops]: Windows 2000 (9)
 + 148.204.4.1:3681 -> 12.82.133.142:80
Tue Feb 19 05:47:26 2002 148.204.4.1 [18 hops]: Windows 2000 (9)
 + 148.204.4.1:3681 -> 12.82.133.142:80
Tue Feb 19 05:47:31 2002 148.204.4.1 [18 hops]: Windows 2000 (9)
 + 148.204.4.1:3681 -> 12.82.133.142:80


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

NIC-Mexico (NETBLK-REDMEX-BNETS)REDMEX-BNETS
 148.203.0.0 - 148.250.255.255

Instituto Politecnico Nacional (NET-IPN-MX) IPN-MX
 148.204.0.0 - 148.204.255.255


Instituto Politecnico Nacional (NET-IPN-MX)
   Juan de Dios Batiz s/n Col. La Escalera
   Mexico, DF 07738
   MX    

Netname: IPN-MX
   Netblock: 148.204.0.0 - 148.204.255.255    

Coordinator:
      DCyC, NIC - IPN  (NID1-ARIN)  nic@conectividad.ipn.mx
      + 52 55 57296000 ext 51404    

Domain System inverse mapping provided by: 
   APOLLO.TELECOM.IPN.MX148.204.103.2
   GODEL.ESFM.IPN.MX148.204.102.3


"Instituto Politécnico Nacional
Miguel Othón Mendizábal s/n Col. Residencial la
        Escalera 07738
Tel. 57296000,
        México, D.F., México"

jsage@finchhaven.com

Last modified: Tue Feb 19 08:13:49 2002