Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Surge of attacks on ports 61127 & 61134

From: Joseph <joseph () netSecureLabs CA>
Date: Thu, 25 Jul 2002 18:05:33 -0400 (EDT)

Good point. No, I can't say its an attack. You are correct, in that I 
assume an attack. Normally every morning, I simply review my log(s), 
tripwire, snort, and so forth. This morning these 2 ports poped up. 

I recongized originating domains from top-10 attack lists, so I assumed. 

I'll setup a packet capture, and feedback with my findings. I think snort 
can do this? 

Someone mentioned using Linux as a masquading firewall system, causing 
such a thing. I'll look into that, I find it odd, as I've not noticed this 
behavier ever. 

All my sources are from "dialups" IPs, that's what I find odd, with a 
higher presence from outside north-america addresses. So in my mind, I 
ruled out standard traffic.

sorry about the panic. let me get more info.  

On Thu, 25 Jul 2002, H C wrote:

Joseph,

How do you know that these are attacks?  Did you
capture the contents of the datagrams?  Have you found
anything listening on those ports on the destination
IPs?


--- Joseph <joseph () netSecureLabs CA> wrote:


This morning my logs showed me a surge of new UDP
packets attacks, mainly 
to ports 61127 & 61134 . I can't find any info on
this, so I'm wondering 
what it can be.

It seems very well known, if I can say, because
source IPs are from 
everywhere, I must have gotten a good 50-80 probes. 

I see alot different *dip.t-dialin.net  orgin
sources, which 
*dip.t-dialin.net seems to make the top 10 attack
list at dshield and 
incidents' website.

Curious, new virus? or attack tool? 

I don't have a log of the packet, justs its denial
attempt. Normally, all 
my attacks are standard stuff, this pops out like
really new...






----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com




__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: