RE: [logs] Distributed attack on port 6398?

From: Andrew Ross (andrewat_private)
Date: Wed Mar 13 2002 - 15:03:01 PST

  • Next message: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"

    Don't quote me on this, but...
    
    I read something on Morpheus (music city) about a DoS attack launched
    on/from the new Morpheus clients. They have since scrapped that sharing
    model and are now using a Gnutella type model. Your attack may have been
    caused by wayward Morpheus clients. If this the case, it probably won't
    happen again since they have changed the code.
    
    Just a thought...
    
    Cheers
    
    Andrew
    Kiwi Enterprises
    
    
    
    
    -----Original Message-----
    From: Alexandre Dulaunoy [mailto:adulau-conosat_private]
    Sent: Wednesday, 13 March 2002 7:52 p.m.
    To: John Campbell
    Cc: loganalysisat_private
    Subject: Re: [logs] Distributed attack on port 6398?
    
    
    
    No accurance in IANA :
    http://www.iana.org/assignments/port-numbers
    
    http://www.snort.org/ports.html?port=6398
    It's not in the snort port database.
    
    It's not in the trojan list :
    http://www.simovits.com/nyheter9902.html
    http://www.sys-security.com/html/papers/trojan_list.html
    
    
    So a capture of the tcp stream could be useful ;-)
    
    alx
    
    On Tue, 12 Mar 2002, John Campbell wrote:
    
    > Hi all,
    >
    > Very unusual activity noted on 3/11/2002:  hundreds of hosts packeting
    > one of our dns/email servers on port 6398.  Firewall bounced and logged
    > everything.  Sources all over the map but the majority look like ISP end
    > users.  Sources sent between 1 and 48 packets each.  Sorry no packet
    > trace - firewall just drops and logs.  Anybody seen anything like this?
    > A couple of days earlier, we had a number of hits on same box for 6346
    > (gnutella.)
    >
    > Curious if anyone else has seen anything similar.
    >
    > John Campbell, GCWN
    > Information Security Engineer
    > Washington School Information Processing Cooperative
    > (WSIPC)
    > Email: jcampbellat_private
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    >
    
    --
    Alexandre Dulaunoy			adulauat_private
    					http://www.conostix.com/
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 15:57:47 PST