Security Incidents mailing list archives
Re: ics.org rejected packets
From: Attonbitus Deus <Thor () HAMMEROFGOD COM>
Date: Sun, 31 Dec 2000 10:25:00 -0800
The ics.org guys are already on it to see what is happening here. Impressive, actually- this is the first time i have received a response from anyone when I request information on IP activity. Something is definitely going on around here though... Yesterday, I had over 8 hours of (mostly TCP 38774-38778) destination traffic rejected by my firewall from a UK ip (194.238.189.*) resulting in over 20,000 log entries. AD ----- Original Message ----- From: "Jeff" <jeff () TCNET ORG> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, December 30, 2000 1:43 PM Subject: Re: ics.org rejected packets
On Sat, 30 Dec 2000, Attonbitus Deus wrote:I've got about 20 minutes worth of rejected packets in my log from
ics.org
(12.40.53.18). All against 51700-51705.Greetings- I'll assume you speak of a tcp and/or udp port range here. ICQ-related. I know of nothing that links ics.org with ICQ/AOL, so it is likely someone using ICQ to communicate with someone using ICQ on your network. ICQ clients try to communicate peer-to-peer via UDP, TCP for file transfers and later versions of the protocol. Failing that, they resort to using ICQ servers as a middleman. Innocent causes aside, someone could be trying to probe your network to determine if you have opened these ports for forwarding into the internal network/past the screening routers to allow internal clients to use ICQ. I don't recall the state of common ICQ clients in terms of known exploits -- other than those purely social in nature. Further investigation at your discretion. -jeff -- Jeff Godin Network Specialist Traverse Area District Library / Traverse Community Network jeff () tcnet org
Current thread:
- ics.org rejected packets Attonbitus Deus (Dec 30)
- Re: ics.org rejected packets Jeff (Dec 30)
- Re: ics.org rejected packets Attonbitus Deus (Dec 31)
- Re: ics.org rejected packets Jeff (Dec 30)