Don't quote me on this, but... I read something on Morpheus (music city) about a DoS attack launched on/from the new Morpheus clients. They have since scrapped that sharing model and are now using a Gnutella type model. Your attack may have been caused by wayward Morpheus clients. If this the case, it probably won't happen again since they have changed the code. Just a thought... Cheers Andrew Kiwi Enterprises -----Original Message----- From: Alexandre Dulaunoy [mailto:adulau-conosat_private] Sent: Wednesday, 13 March 2002 7:52 p.m. To: John Campbell Cc: loganalysisat_private Subject: Re: [logs] Distributed attack on port 6398? No accurance in IANA : http://www.iana.org/assignments/port-numbers http://www.snort.org/ports.html?port=6398 It's not in the snort port database. It's not in the trojan list : http://www.simovits.com/nyheter9902.html http://www.sys-security.com/html/papers/trojan_list.html So a capture of the tcp stream could be useful ;-) alx On Tue, 12 Mar 2002, John Campbell wrote: > Hi all, > > Very unusual activity noted on 3/11/2002: hundreds of hosts packeting > one of our dns/email servers on port 6398. Firewall bounced and logged > everything. Sources all over the map but the majority look like ISP end > users. Sources sent between 1 and 48 packets each. Sorry no packet > trace - firewall just drops and logs. Anybody seen anything like this? > A couple of days earlier, we had a number of hits on same box for 6346 > (gnutella.) > > Curious if anyone else has seen anything similar. > > John Campbell, GCWN > Information Security Engineer > Washington School Information Processing Cooperative > (WSIPC) > Email: jcampbellat_private > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > -- Alexandre Dulaunoy adulauat_private http://www.conostix.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 15:57:47 PST