I've only taken 5 hits on it but I'm on an Arizona dialup. 2003-02-10 19:41:51 DROP TCP 64.30.100.205 216.19.8.xx 2929 17300 48 S 3792833103 0 16384 - - - 2003-02-10 19:41:54 DROP TCP 64.30.100.205 216.19.8.xx 2929 17300 48 S 3792833103 0 16384 - - - 2003-02-10 19:42:00 DROP TCP 64.30.100.205 216.19.8.xx 2929 17300 48 S 3792833103 0 16384 - - - 2003-02-11 12:54:03 DROP TCP 68.101.101.100 216.19.8.xx 3220 17300 48 S 942330607 0 16384 - - - 2003-02-11 12:54:06 DROP TCP 68.101.101.100 216.19.8.xx 3220 17300 48 S 942330607 0 16384 - - - Tim Heagarty MCSE, MCP+I http://www.theasecure.com/ "There are only 10 kinds of people in the world, those that understand binary, and those that don't." Work: (928) 636-0489 Cell: (928) 533-9690 -----Original Message----- From: Trevor Metzger [mailto:trevor@e-oasis.com] Sent: Sunday, February 16, 2003 4:29 PM To: Incidents Subject: RE: Kuang2 strikes again, is it just me? Ditto here. I'm on AT&T Broadband. Several different source addresses. Here's a couple copies of the logged events: [00182] 2003-02-15 14:02:26 system-notification-00257(traffic): start_time="2003-02-15 14:02:26" duration=0 policy_id=320001 service=tcp/port:17300 proto=6 src zone=Null dst zone=Null action=Deny sent=0 rcvd=48 src=24.165.244.146 dst=12.253.xx.xx [00188] 2003-02-15 14:07:07 system-notification-00257(traffic): start_time="2003-02-15 14:07:07" duration=0 policy_id=320001 service=tcp/port:17300 proto=6 src zone=Null dst zone=Null action=Deny sent=0 rcvd=48 src=61.38.172.217 dst=12.253.xx.xx [00192] 2003-02-15 14:09:01 system-notification-00257(traffic): start_time="2003-02-15 14:09:01" duration=0 policy_id=320001 service=tcp/port:17300 proto=6 src zone=Null dst zone=Null action=Deny sent=0 rcvd=48 src=61.85.80.162 dst=12.253.xx.xx Trevor Metzger, GCIH E-Oasis Consulting -----Original Message----- From: Jeff [mailto:spam-fighterat_private] Sent: Sunday, February 16, 2003 10:39 AM To: Jeff Kell; Incidents Subject: Re: Kuang2 strikes again, is it just me? "Jeff Kell" <jeff-kellat_private> wrote to <incidentsat_private> on Sat, 15 Feb 2003 at 20:35:02 -0500: > Last Sunday (Feb 9) I reported a sudden flurry of scans on tcp/17300 > (the Kuang2 backdoor). I had 9 hits in an hour on a cable modem, and > 18 in all in the next 6 hours, then they stopped. Nothing appeared > on my radar screen at work where I monitor a /18, a /22, and a /24 > address block. > > Today looks like a revisit of similar probing. Home cable modem > reports (timezone EST, GMT-05:00), all directed at my tcp/17300: 8< No, it's not just you. I have seen (via Symantec Desktop Firewall) the following smilar tcp/17300 hits on my home cable modem since 10/12/2002 12:51:51 (most recent first, timezone EST, GMT-05:00, condensed): 02/15/2003 16:40:59 (213.184.160.172) 02/15/2003 14:36:14 (81.57.159.25) 02/15/2003 14:36:11 (81.57.159.25) 02/15/2003 13:54:04 (61.33.72.42) 02/15/2003 13:53:58 (61.33.72.42) 02/15/2003 13:53:55 (61.33.72.42) 02/15/2003 13:30:50 (200.55.24.138) 02/10/2003 7:25:20 (218.232.246.195) 02/10/2003 7:25:08 (218.232.246.195) 02/10/2003 7:25:02 (218.232.246.195) 02/10/2003 7:24:59 (218.232.246.195) 02/10/2003 7:11:51 (211.176.22.64) 02/10/2003 7:11:39 (211.176.22.64) 02/10/2003 7:11:33 (211.176.22.64) 02/10/2003 7:11:30 (211.176.22.64) 02/10/2003 7:08:22 (211.201.204.187) 02/10/2003 7:08:16 (211.201.204.187) 02/10/2003 7:08:13 (211.201.204.187) 02/09/2003 9:58:18 (211.55.119.44) 02/09/2003 9:58:13 (211.55.119.44) 02/09/2003 9:58:09 (211.55.119.44) 02/08/2003 7:51:24 (213.184.160.172) 02/06/2003 7:00:19 (211.207.166.94) 02/06/2003 7:00:07 (211.207.166.94) 02/06/2003 7:00:01 (211.207.166.94) 02/06/2003 6:59:58 (211.207.166.94) 02/06/2003 6:21:58 (61.35.47.225) 02/06/2003 6:21:52 (61.35.47.225) 02/06/2003 6:21:49 (61.35.47.225) 02/06/2003 6:13:09 (211.222.26.227) 02/06/2003 6:12:57 (211.222.26.227) 02/06/2003 6:12:51 (211.222.26.227) 02/06/2003 6:12:48 (211.222.26.227) 02/06/2003 6:12:17 (211.106.246.62) 02/06/2003 6:12:14 (211.106.246.62) 02/06/2003 5:50:18 (211.106.40.36) 02/06/2003 5:50:12 (211.106.40.36) 02/06/2003 5:50:09 (211.106.40.36) 02/06/2003 5:43:01 (211.58.244.150) 02/06/2003 5:42:55 (211.58.244.150) 02/06/2003 5:42:52 (211.58.244.150) 02/06/2003 5:40:03 (61.79.241.80) 02/06/2003 5:39:57 (61.79.241.80) 02/06/2003 5:39:54 (61.79.241.80) 02/06/2003 5:35:11 (211.186.81.192) 02/06/2003 5:34:59 (211.186.81.192) 02/06/2003 5:34:53 (211.186.81.192) 02/06/2003 5:34:50 (211.186.81.192) 02/06/2003 5:10:04 (211.234.39.53) 02/06/2003 5:09:58 (211.234.39.53) 02/06/2003 5:09:55 (211.234.39.53) 02/06/2003 4:28:49 (211.213.165.235) 02/06/2003 4:28:37 (211.213.165.235) 02/06/2003 4:28:31 (211.213.165.235) 02/06/2003 4:28:28 (211.213.165.235) 02/06/2003 4:14:54 (211.222.187.63) 02/06/2003 4:14:48 (211.222.187.63) 02/06/2003 4:14:45 (211.222.187.63) 02/06/2003 4:10:36 (211.220.207.13) 02/06/2003 4:10:24 (211.220.207.13) 02/06/2003 4:10:18 (211.220.207.13) 02/06/2003 4:10:15 (211.220.207.13) 02/06/2003 3:47:17 (218.154.30.144) 02/06/2003 3:47:05 (218.154.30.144) 02/06/2003 3:46:59 (218.154.30.144) 02/06/2003 3:46:56 (218.154.30.144) 02/06/2003 3:42:50 (220.76.249.203) 02/06/2003 3:42:47 (220.76.249.203) 02/06/2003 3:14:08 (61.98.108.76) 02/06/2003 3:14:01 (61.98.108.76) 02/06/2003 3:13:59 (61.98.108.76) 02/01/2003 18:54:26 (68.112.103.237) 02/01/2003 18:54:23 (68.112.103.237) 01/20/2003 16:12:44 (217.80.153.166) 01/20/2003 3:09:59 (24.94.62.222) 01/20/2003 3:09:56 (24.94.62.222) 01/15/2003 0:03:54 (66.91.171.247) 01/15/2003 0:03:51 (66.91.171.247) 01/13/2003 3:50:03 (68.3.34.97) 01/12/2003 22:02:13 (80.126.111.197) 01/07/2003 7:36:33 (80.142.73.163) 12/29/2002 11:15:11 (213.184.160.172) 12/28/2002 14:56:11 (61.77.197.107) 12/28/2002 14:56:05 (61.77.197.107) 12/28/2002 14:56:02 (61.77.197.107) 12/28/2002 14:48:23 (211.224.214.124) 12/28/2002 14:48:11 (211.224.214.124) 12/28/2002 14:48:05 (211.224.214.124) 12/28/2002 14:48:02 (211.224.214.124) 12/28/2002 14:46:08 (24.161.249.48) 12/28/2002 14:45:56 (24.161.249.48) 12/28/2002 14:45:50 (24.161.249.48) 12/28/2002 14:45:47 (24.161.249.48) 12/25/2002 21:07:03 (211.219.255.124) 12/25/2002 21:06:51 (211.219.255.124) 12/25/2002 21:06:45 (211.219.255.124) 12/25/2002 21:06:42 (211.219.255.124) 12/25/2002 17:24:12 (12.222.124.74) 12/20/2002 2:37:03 (12.222.124.74) 11/30/2002 19:53:06 (217.164.248.210) 11/30/2002 19:53:03 (217.164.248.210) 11/24/2002 20:43:55 (24.226.43.249) 11/24/2002 20:43:55 (24.90.170.100) 11/23/2002 9:41:52 (213.184.177.137) 11/13/2002 5:21:27 (213.238.30.7) 11/12/2002 6:40:47 (61.81.148.119) 11/12/2002 6:40:41 (61.81.148.119) 11/12/2002 6:40:39 (61.81.148.119) 11/02/2002 3:19:35 (24.200.137.81) 10/31/2002 2:22:42 (213.184.169.65) 10/20/2002 10:15:08 (212.118.139.227) I have condensed "Unused port blocking has blocked communications. Details: Inbound TCP connection Remote address,local service is" and ",17300" from each line. Best Regards, Jeff. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 17 2003 - 13:55:45 PST