[nsp] Possible stange attack
Linkova, Evgenia
jen at amt.ru
Fri Feb 20 06:42:26 EST 2004
Hi!
http://www.dshield.org/pipermail/list/2004-January/014027.php
=====
SY, Jen Linkova
AMT Group
Phone: +7 095 725 7660
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of M.Palis
> Sent: Friday, February 20, 2004 14:33
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] Possible stange attack
>
>
> Hello all
>
> I have notice some strange things on access-list logging. I
> am continuously getting the following form my access-list log
> 20 13:19:20.142 EET: %SEC-6-IPACCESSLOGP: list 103 denied
> tcp 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.33.81(1263), 1 packet Feb 20 13:19:21.226 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied udp
> 159.12.66.221(137) (Serial1/0/0/6:0 ) -> 200.101.101.1(137),
> 1 packet Feb 20 13:19:22.258 EET: %SEC-6-IPACCESSLOGP: list
> 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.36.145(1433), 1 packet Feb 20 13:19:23.362 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.34.249(1456), 1 packet Feb 20 13:19:24.510 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.33.150(1648), 1 packet Feb 20 13:19:25.590 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.35.218(1705), 1 packet Feb 20 13:19:26.774 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.37.158(1762), 1 packet Feb 20 13:19:27.966 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.36.60(1723), 1 packet Feb 20 13:19:29.122 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.37.219(1473), 1 packet Feb 20 13:19:30.642 EET:
> %SEC-6-IPACCESSLOGP: list 103 denied tcp
> 127.0.0.1(80) (GigabitEthernet0/0/0 0007.4f89.f800) ->
> 212.31.33.160(1188), 1 packet
>
> Feb 20 13:25:45.708 EET: %SEC-6-IPACCESSLOGP: list customers
> denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.189.61(1455), 1
> packet Feb 20 13:25:46.708 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.214.201(1214), 1
> packet Feb 20 13:25:47.712 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.71.235(1098), 1
> packet Feb 20 13:25:48.740 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 192.168.11.227(1679), 1
> packet Feb 20 13:25:49.740 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.41.113(1154), 1
> packet Feb 20 13:25:50.740 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.146.68(1264), 1
> packet Feb 20 13:25:51.748 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.56.51(1361), 1
> packet Feb 20 13:25:52.788 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.124.51(1721), 1
> packet Feb 20 13:25:53.792 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/11:0 ) -> 192.168.19.162(1499), 1
> packet Feb 20 13:25:54.792 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/11:0 ) -> 192.168.224.154(1111), 1
> packet Feb 20 13:25:55.800 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 213.178.147.73(1412), 1
> packet Feb 20 13:25:56.808 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.48.253(1369), 1
> packet Feb 20 13:25:57.808 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.210.232(1215), 1
> packet Feb 20 13:25:58.808 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.166.160(1870), 1
> packet Feb 20 13:25:59.808 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 192.168.104.116(1400), 1
> packet Feb 20 13:26:00.824 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 192.168.156.146(1745), 1
> packet Feb 20 13:26:01.848 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.166.10(1458), 1
> packet Feb 20 13:26:02.848 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.141.65(1099), 1
> packet Feb 20 13:26:03.888 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.218.144(1840), 1
> packet Feb 20 13:26:04.896 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.97.203(1653), 1
> packet Feb 20 13:26:05.896 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.132.43(1173), 1
> packet Feb 20 13:26:06.920 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.211.106(1081), 1
> packet Feb 20 13:26:07.936 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.173.142(1891), 1
> packet Feb 20 13:26:08.944 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.246.78(1689), 1
> packet Feb 20 13:26:10.000 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/11:0 ) -> 10.0.204.74(1409), 1
> packet Feb 20 13:26:11.008 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.77.183(1447), 1
> packet Feb 20 13:26:12.012 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 192.168.98.240(1063), 1
> packet Feb 20 13:26:13.040 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 10.0.170.53(1876), 1
> packet Feb 20 13:26:14.040 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 213.178.155.58(1396), 1
> packet Feb 20 13:26:15.040 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.131.61(1062), 1
> packet Feb 20 13:26:16.040 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 213.178.8.243(1638), 1
> packet Feb 20 13:26:16.944 EET: %SEC-6-IPACCESSLOGRL:
> access-list logging rate-limited or missed 6969 packets Feb
> 20 13:26:17.060 EET: %SEC-6-IPACCESSLOGP: list customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 10.0.238.91(1216), 1
> packet Feb 20 13:26:18.064 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/11:0 ) -> 10.0.60.63(1742), 1
> packet Feb 20 13:26:19.064 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/11:0 ) -> 10.0.162.184(1375), 1
> packet Feb 20 13:26:20.088 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/12:0 ) -> 213.178.216.186(1868), 1
> packet Feb 20 13:26:21.188 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/5:0 ) -> 213.178.219.230(1012), 1
> packet Feb 20 13:26:22.200 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 192.168.87.175(1906), 1
> packet Feb 20 13:26:23.276 EET: %SEC-6-IPACCESSLOGP: list
> customers denied tcp
> 127.0.0.1(80) (Serial1/0/0/6:0 ) -> 10.0.170.133(1801), 1 packet
>
> It seems a kind of attack with source IP 127.0.0.1 port 80
> which seems to come from all my routers interfaces. What
> could be the possible cause of this? Any advoce of how to
> handle this kinf of attack?
>
> Any help will be appreciated
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at
> http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list