Security Incidents mailing list archives
Re: Surge of attacks on ports 61127 & 61134
From: Joseph <joseph () netSecureLabs CA>
Date: Thu, 25 Jul 2002 18:05:33 -0400 (EDT)
Good point. No, I can't say its an attack. You are correct, in that I assume an attack. Normally every morning, I simply review my log(s), tripwire, snort, and so forth. This morning these 2 ports poped up. I recongized originating domains from top-10 attack lists, so I assumed. I'll setup a packet capture, and feedback with my findings. I think snort can do this? Someone mentioned using Linux as a masquading firewall system, causing such a thing. I'll look into that, I find it odd, as I've not noticed this behavier ever. All my sources are from "dialups" IPs, that's what I find odd, with a higher presence from outside north-america addresses. So in my mind, I ruled out standard traffic. sorry about the panic. let me get more info. On Thu, 25 Jul 2002, H C wrote:
Joseph, How do you know that these are attacks? Did you capture the contents of the datagrams? Have you found anything listening on those ports on the destination IPs? --- Joseph <joseph () netSecureLabs CA> wrote:This morning my logs showed me a surge of new UDP packets attacks, mainly to ports 61127 & 61134 . I can't find any info on this, so I'm wondering what it can be. It seems very well known, if I can say, because source IPs are from everywhere, I must have gotten a good 50-80 probes. I see alot different *dip.t-dialin.net orgin sources, which *dip.t-dialin.net seems to make the top 10 attack list at dshield and incidents' website. Curious, new virus? or attack tool? I don't have a log of the packet, justs its denial attempt. Normally, all my attacks are standard stuff, this pops out like really new...----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com__________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Surge of attacks on ports 61127 & 61134 Joseph (Jul 25)