[nsp] Possible stange attack

M.Palis security at cytanet.com.cy
Fri Feb 20 06:33:13 EST 2004 

Hello all

I have notice some strange things on access-list logging. I am continuously
getting the following form my access-list log
 20 13:19:20.142 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp 127.0.0.1(80)
(GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.33.81(1263), 1 packet
Feb 20 13:19:21.226 EET: %SEC-6-IPACCESSLOGP: list 103 denied udp
159.12.66.221(137) (Serial1/0/0/6:0 ) -> 200.101.101.1(137), 1 packet
Feb 20 13:19:22.258 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.36.145(1433),
1 packet
Feb 20 13:19:23.362 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.34.249(1456),
1 packet
Feb 20 13:19:24.510 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.33.150(1648),
1 packet
Feb 20 13:19:25.590 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.35.218(1705),
1 packet
Feb 20 13:19:26.774 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.37.158(1762),
1 packet
Feb 20 13:19:27.966 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.36.60(1723), 1
packet
Feb 20 13:19:29.122 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.37.219(1473),
1 packet
Feb 20 13:19:30.642 EET: %SEC-6-IPACCESSLOGP: list 103 denied tcp
127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) -> 212.31.33.160(1188),
1 packet

Feb 20 13:25:45.708 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.189.61(1455), 1 packet
Feb 20 13:25:46.708 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.214.201(1214), 1 packet
Feb 20 13:25:47.712 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.71.235(1098), 1 packet
Feb 20 13:25:48.740 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 192.168.11.227(1679), 1 packet
Feb 20 13:25:49.740 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.41.113(1154), 1 packet
Feb 20 13:25:50.740 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.146.68(1264), 1 packet
Feb 20 13:25:51.748 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.56.51(1361), 1 packet
Feb 20 13:25:52.788 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.124.51(1721), 1 packet
Feb 20 13:25:53.792 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/11:0 ) -> 192.168.19.162(1499), 1 packet
Feb 20 13:25:54.792 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/11:0 ) -> 192.168.224.154(1111), 1 packet
Feb 20 13:25:55.800 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 213.178.147.73(1412), 1 packet
Feb 20 13:25:56.808 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.48.253(1369), 1 packet
Feb 20 13:25:57.808 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.210.232(1215), 1 packet
Feb 20 13:25:58.808 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.166.160(1870), 1 packet
Feb 20 13:25:59.808 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 192.168.104.116(1400), 1 packet
Feb 20 13:26:00.824 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 192.168.156.146(1745), 1 packet
Feb 20 13:26:01.848 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.166.10(1458), 1 packet
Feb 20 13:26:02.848 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.141.65(1099), 1 packet
Feb 20 13:26:03.888 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.218.144(1840), 1 packet
Feb 20 13:26:04.896 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.97.203(1653), 1 packet
Feb 20 13:26:05.896 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.132.43(1173), 1 packet
Feb 20 13:26:06.920 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.211.106(1081), 1 packet
Feb 20 13:26:07.936 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.173.142(1891), 1 packet
Feb 20 13:26:08.944 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.246.78(1689), 1 packet
Feb 20 13:26:10.000 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/11:0 ) -> 10.0.204.74(1409), 1 packet
Feb 20 13:26:11.008 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.77.183(1447), 1 packet
Feb 20 13:26:12.012 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 192.168.98.240(1063), 1 packet
Feb 20 13:26:13.040 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.170.53(1876), 1 packet
Feb 20 13:26:14.040 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 213.178.155.58(1396), 1 packet
Feb 20 13:26:15.040 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.131.61(1062), 1 packet
Feb 20 13:26:16.040 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 213.178.8.243(1638), 1 packet
Feb 20 13:26:16.944 EET: %SEC-6-IPACCESSLOGRL: access-list logging
rate-limited or missed 6969 packets
Feb 20 13:26:17.060 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.238.91(1216), 1 packet
Feb 20 13:26:18.064 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/11:0 ) -> 10.0.60.63(1742), 1 packet
Feb 20 13:26:19.064 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/11:0 ) -> 10.0.162.184(1375), 1 packet
Feb 20 13:26:20.088 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/12:0 ) -> 213.178.216.186(1868), 1 packet
Feb 20 13:26:21.188 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.219.230(1012), 1 packet
Feb 20 13:26:22.200 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 192.168.87.175(1906), 1 packet
Feb 20 13:26:23.276 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.170.133(1801), 1 packet

It seems a kind of attack with source IP 127.0.0.1 port 80  which seems to
come from all  my routers interfaces. What could be the possible cause of
this? Any advoce of how to handle this kinf of attack?

Any help will be appreciated

More information about the cisco-nsp mailing list