RE: [logs] Distributed attack on port 6398?

From: Andrew Ross (andrewat_private)
Date: Wed Mar 13 2002 - 15:03:01 PST

Next message: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"

Previous message: dgillettat_private: "Re: [logs] Sentry/Counterpane how is it working ?"
In reply to: Alexandre Dulaunoy: "Re: [logs] Distributed attack on port 6398?"
Next in thread: John Campbell: "RE: [logs] Distributed attack on port 6398?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Don't quote me on this, but...

I read something on Morpheus (music city) about a DoS attack launched
on/from the new Morpheus clients. They have since scrapped that sharing
model and are now using a Gnutella type model. Your attack may have been
caused by wayward Morpheus clients. If this the case, it probably won't
happen again since they have changed the code.

Just a thought...

Cheers

Andrew
Kiwi Enterprises




-----Original Message-----
From: Alexandre Dulaunoy [mailto:adulau-conosat_private]
Sent: Wednesday, 13 March 2002 7:52 p.m.
To: John Campbell
Cc: loganalysisat_private
Subject: Re: [logs] Distributed attack on port 6398?



No accurance in IANA :
http://www.iana.org/assignments/port-numbers

http://www.snort.org/ports.html?port=6398
It's not in the snort port database.

It's not in the trojan list :
http://www.simovits.com/nyheter9902.html
http://www.sys-security.com/html/papers/trojan_list.html


So a capture of the tcp stream could be useful ;-)

alx

On Tue, 12 Mar 2002, John Campbell wrote:

> Hi all,
>
> Very unusual activity noted on 3/11/2002:  hundreds of hosts packeting
> one of our dns/email servers on port 6398.  Firewall bounced and logged
> everything.  Sources all over the map but the majority look like ISP end
> users.  Sources sent between 1 and 48 packets each.  Sorry no packet
> trace - firewall just drops and logs.  Anybody seen anything like this?
> A couple of days earlier, we had a number of hits on same box for 6346
> (gnutella.)
>
> Curious if anyone else has seen anything similar.
>
> John Campbell, GCWN
> Information Security Engineer
> Washington School Information Processing Cooperative
> (WSIPC)
> Email: jcampbellat_private
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
>

--
Alexandre Dulaunoy			adulauat_private
					http://www.conostix.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private



---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Previous message: dgillettat_private: "Re: [logs] Sentry/Counterpane how is it working ?"
In reply to: Alexandre Dulaunoy: "Re: [logs] Distributed attack on port 6398?"
Next in thread: John Campbell: "RE: [logs] Distributed attack on port 6398?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 15:57:47 PST