Security Incidents mailing list archives
Possible Port 1024 DDoS - More Information
From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Mon, 23 Oct 2000 17:43:49 -0400
Hey all, Below is a list of IP addresses I'm seeing this traffic coming from: 129.186.157.13 (hawthorn-157-13.stures.iastate.edu) 130.243.31.133 (du5-202.fut.kau.se) 147.237.72.84 194.205.125.26 <- Lots of traffic coming from this one 194.213.64.150 <- Lots of traffic coming from this one 194.29.215.100 195.132.21.39 (r21m39.cybercable.tm.fr) 195.18.249.231 (efnet.telia.no) 204.70.128.1 (ns.cw.net) 207.35.169.253 208.225.201.200 (attrition.org) <- Eep! 209.249.97.40 <- Lots of traffic coming from this one 211.62.35.155 212.23.225.98 <- Lots of traffic coming from this one 212.78.160.237 <- Lots of traffic coming from this one 216.32.120.133 (pages.ebay.com) 216.33.72.163 216.35.167.58 <- Lots of traffic coming from this one 216.46.232.155 (aish.org) 24.180.27.68 (cc804623-a.sumt1.nj.home.com) 24.228.41.69 24.28.83.153 (cs2883-153.austin.rr.com) 24.30.114.2 24.71.203.129 (h24-71-203-129.cg.shawcable.net) 62.26.119.34 <- Lots of traffic coming from this one 63.88.120.172 64.14.200.154 <- Lots of traffic coming from this one 64.225.122.177 (epicinter.net) <- Lots of traffic coming from this one 64.37.200.46 <- Lots of traffic coming from this one 64.71.132.105 (my.dick.is.a.pussymagnet.org) <- [laugh] Lots of cable and DSL lines, easy targets. A few universities and educational sites, easy targets. I haven't notified any of these sites yet, which I probably should have done before sending out the IP addresses, but I want to confirm that I'm not the only one seeing this type of traffic from these sites. After some searching on the net I found two references to DNS queries coming in on port 1024. I could almost believe that this is legitimate traffic after reading this... if there wasn't so much of it, and that not all of the destination servers were DNS servers (just one of them), AND that two other people are seeing the same kind of traffic from the same servers being dropped by their firewall. I was also a bit concerned to find that there is an application called 'NetSpy' which runs on port 1024. This application apparently lets a user remotely monitor what is happening on the system which it is installed on. I could, however, find no evidence that this was installed on the one machine I could get my hands on at the moment. More information can be found about NetSpy at: http://www.5star-shareware.com/Internet/LogAnalyzers/netspy.html Any idea's folks? Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
Current thread:
- Possible Port 1024 DDoS - More Information Abe Getchell (Oct 25)