Re: Surge of attacks on ports 61127 & 61134

From: Joseph (josephat_private)
Date: Thu Jul 25 2002 - 15:05:33 PDT

Next message: GabyHornikat_private: "Compromized Windows NT machine?"

Previous message: Sebastian: "Re: Bind 9.2.X exploit???"
Next in thread: Alexandru Balan: "Re: Bind 9.2.X exploit???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good point. No, I can't say its an attack. You are correct, in that I 
assume an attack. Normally every morning, I simply review my log(s), 
tripwire, snort, and so forth. This morning these 2 ports poped up. 

I recongized originating domains from top-10 attack lists, so I assumed. 

I'll setup a packet capture, and feedback with my findings. I think snort 
can do this? 

Someone mentioned using Linux as a masquading firewall system, causing 
such a thing. I'll look into that, I find it odd, as I've not noticed this 
behavier ever. 

All my sources are from "dialups" IPs, that's what I find odd, with a 
higher presence from outside north-america addresses. So in my mind, I 
ruled out standard traffic.

sorry about the panic. let me get more info.  

On Thu, 25 Jul 2002, H C wrote:
> Joseph,
> 
> How do you know that these are attacks?  Did you
> capture the contents of the datagrams?  Have you found
> anything listening on those ports on the destination
> IPs?
> 
> 
> --- Joseph <josephat_private> wrote:
> > 
> > This morning my logs showed me a surge of new UDP
> > packets attacks, mainly 
> > to ports 61127 & 61134 . I can't find any info on
> > this, so I'm wondering 
> > what it can be.
> > 
> > It seems very well known, if I can say, because
> > source IPs are from 
> > everywhere, I must have gotten a good 50-80 probes. 
> > 
> > I see alot different *dip.t-dialin.net  orgin
> > sources, which 
> > *dip.t-dialin.net seems to make the top 10 attack
> > list at dshield and 
> > incidents' website.
> > 
> > Curious, new virus? or attack tool? 
> > 
> > I don't have a log of the packet, justs its denial
> > attempt. Normally, all 
> > my attacks are standard stuff, this pops out like
> > really new...
> > 
> > 
> > 
> > 
> >
> ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident handling,
> > management 
> > and tracking system please see:
> > http://aris.securityfocus.com
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: GabyHornikat_private: "Compromized Windows NT machine?"
Previous message: Sebastian: "Re: Bind 9.2.X exploit???"
Next in thread: Alexandru Balan: "Re: Bind 9.2.X exploit???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 14:35:10 PDT