[nsp-sec] Report of successful WINS (ms09-039) compromise
Mark Boolootian
booloo at ucsc.edu
Mon Aug 17 13:45:18 EDT 2009
> We just got a report of two WINS servers at a .edu being compromised via
> the MS09-039[1] vulnerability over the weekend.
>
> The only information I have at this moment is the attacking IP was:
>
> 221.214.82.183
I've got a system that began spewing high rate traffic to 224.0.1.24:42
last night. Running netflow shows TCP activity directed to port 42
of the system just prior to the spew. The source of the TCP activity
in our case was 221.214.82.185. Relevant netflow records follow:
Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets
0816.20:04:52.188 0816.20:04:55.260 6 221.214.82.185 2032 7 128.114.9.28 42 6 0 7 543
0816.20:04:50.269 0816.20:04:51.421 6 221.214.82.185 2006 7 128.114.9.28 42 6 0 8 1026
0816.20:04:53.404 0816.20:04:55.260 6 221.214.82.185 2046 7 128.114.9.28 42 6 0 6 497
0816.20:04:56.027 0816.20:04:57.563 6 221.214.82.185 2074 7 128.114.9.28 42 6 0 7 1114
0816.20:04:56.543 0816.20:04:57.951 6 221.214.82.185 2081 7 128.114.9.28 42 6 0 6 1944
0816.20:05:51.261 0816.20:05:51.261 6 221.214.82.185 2081 7 128.114.9.28 42 6 0 1 46
0816.20:05:51.261 0816.20:05:51.261 6 221.214.82.185 2074 7 128.114.9.28 42 6 0 1 46
More information about the nsp-security
mailing list