Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Possible Port 1024 DDoS - More Information

From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Mon, 23 Oct 2000 17:43:49 -0400
Hey all,
        Below is a list of IP addresses I'm seeing this traffic coming from:

129.186.157.13  (hawthorn-157-13.stures.iastate.edu)
130.243.31.133  (du5-202.fut.kau.se)
147.237.72.84
194.205.125.26  <- Lots of traffic coming from this one
194.213.64.150  <- Lots of traffic coming from this one
194.29.215.100
195.132.21.39   (r21m39.cybercable.tm.fr)
195.18.249.231  (efnet.telia.no)
204.70.128.1    (ns.cw.net)
207.35.169.253
208.225.201.200         (attrition.org) <- Eep!
209.249.97.40   <- Lots of traffic coming from this one
211.62.35.155
212.23.225.98   <- Lots of traffic coming from this one
212.78.160.237  <- Lots of traffic coming from this one
216.32.120.133  (pages.ebay.com)
216.33.72.163
216.35.167.58   <- Lots of traffic coming from this one
216.46.232.155  (aish.org)
24.180.27.68    (cc804623-a.sumt1.nj.home.com)
24.228.41.69
24.28.83.153    (cs2883-153.austin.rr.com)
24.30.114.2
24.71.203.129   (h24-71-203-129.cg.shawcable.net)
62.26.119.34    <- Lots of traffic coming from this one
63.88.120.172
64.14.200.154   <- Lots of traffic coming from this one
64.225.122.177  (epicinter.net) <- Lots of traffic coming from this one
64.37.200.46    <- Lots of traffic coming from this one
64.71.132.105   (my.dick.is.a.pussymagnet.org) <- [laugh]

        Lots of cable and DSL lines, easy targets.  A few universities and
educational sites, easy targets.  I haven't notified any of these sites yet,
which I probably should have done before sending out the IP addresses, but I
want to confirm that I'm not the only one seeing this type of traffic from
these sites.
        After some searching on the net I found two references to DNS
queries coming in on port 1024.  I could almost believe that this is
legitimate traffic after reading this... if there wasn't so much of it, and
that not all of the destination servers were DNS servers (just one of them),
AND that two other people are seeing the same kind of traffic from the same
servers being dropped by their firewall.
        I was also a bit concerned to find that there is an application
called 'NetSpy' which runs on port 1024.  This application apparently lets a
user remotely monitor what is happening on the system which it is installed
on.  I could, however, find no evidence that this was installed on the one
machine I could get my hands on at the moment.  More information can be
found about NetSpy at:

http://www.5star-shareware.com/Internet/LogAnalyzers/netspy.html

        Any idea's folks?

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/
Previous By Date Next
Previous By Thread Next

Current thread: