RE: [logs] Distributed attack on port 6398?

From: John Campbell (jcampbellat_private)
Date: Wed Mar 13 2002 - 12:43:18 PST

Next message: Alexandre Dulaunoy: "Re: [logs] Sentry/Counterpane how is it working ?"

Previous message: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Maybe in reply to: John Campbell: "[logs] Distributed attack on port 6398?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As of today I'm thinking the specific port is irrelevant.  There has
been some additional activity of a similar sort, on a different high
port.  I'd checked Google and IANA, thanks for the suggestions of the
snort database and trojan list.

-John

-----Original Message-----
From: Alexandre Dulaunoy [mailto:adulau-conosat_private] 
Sent: Tuesday, March 12, 2002 10:52 PM
To: John Campbell
Cc: loganalysisat_private
Subject: Re: [logs] Distributed attack on port 6398?



No accurance in IANA : http://www.iana.org/assignments/port-numbers

http://www.snort.org/ports.html?port=6398 
It's not in the snort port database.

It's not in the trojan list : 
http://www.simovits.com/nyheter9902.html
http://www.sys-security.com/html/papers/trojan_list.html


So a capture of the tcp stream could be useful ;-)

alx

On Tue, 12 Mar 2002, John Campbell wrote:

> Hi all,
> 
> Very unusual activity noted on 3/11/2002:  hundreds of hosts packeting

> one of our dns/email servers on port 6398.  Firewall bounced and 
> logged everything.  Sources all over the map but the majority look 
> like ISP end users.  Sources sent between 1 and 48 packets each.  
> Sorry no packet trace - firewall just drops and logs.  Anybody seen 
> anything like this? A couple of days earlier, we had a number of hits 
> on same box for 6346
> (gnutella.)
> 
> Curious if anyone else has seen anything similar.
> 
> John Campbell, GCWN
> Information Security Engineer
> Washington School Information Processing Cooperative
> (WSIPC)
> Email: jcampbellat_private
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
> 

-- 
Alexandre Dulaunoy			adulauat_private
					http://www.conostix.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Alexandre Dulaunoy: "Re: [logs] Sentry/Counterpane how is it working ?"
Previous message: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Maybe in reply to: John Campbell: "[logs] Distributed attack on port 6398?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 17:24:39 PST