Re: Surge of attacks on ports 61127 & 61134
From: Joseph (joseph@netSecureLabs.CA)Date: 07/26/02
- Previous message: Sebastian: "Re: Bind 9.2.X exploit???"
- Maybe in reply to: Joseph: "Surge of attacks on ports 61127 & 61134"
- Next in thread: Alexandru Balan: "Re: Bind 9.2.X exploit???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Jul 2002 18:05:33 -0400 (EDT) From: Joseph <joseph@netSecureLabs.CA> To: H C <keydet89@yahoo.com>
Good point. No, I can't say its an attack. You are correct, in that I
assume an attack. Normally every morning, I simply review my log(s),
tripwire, snort, and so forth. This morning these 2 ports poped up.
I recongized originating domains from top-10 attack lists, so I assumed.
I'll setup a packet capture, and feedback with my findings. I think snort
can do this?
Someone mentioned using Linux as a masquading firewall system, causing
such a thing. I'll look into that, I find it odd, as I've not noticed this
behavier ever.
All my sources are from "dialups" IPs, that's what I find odd, with a
higher presence from outside north-america addresses. So in my mind, I
ruled out standard traffic.
sorry about the panic. let me get more info.
On Thu, 25 Jul 2002, H C wrote:
> Joseph,
>
> How do you know that these are attacks? Did you
> capture the contents of the datagrams? Have you found
> anything listening on those ports on the destination
> IPs?
>
>
> --- Joseph <joseph@netSecureLabs.CA> wrote:
> >
> > This morning my logs showed me a surge of new UDP
> > packets attacks, mainly
> > to ports 61127 & 61134 . I can't find any info on
> > this, so I'm wondering
> > what it can be.
> >
> > It seems very well known, if I can say, because
> > source IPs are from
> > everywhere, I must have gotten a good 50-80 probes.
> >
> > I see alot different *dip.t-dialin.net orgin
> > sources, which
> > *dip.t-dialin.net seems to make the top 10 attack
> > list at dshield and
> > incidents' website.
> >
> > Curious, new virus? or attack tool?
> >
> > I don't have a log of the packet, justs its denial
> > attempt. Normally, all
> > my attacks are standard stuff, this pops out like
> > really new...
> >
> >
> >
> >
> >
> ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Sebastian: "Re: Bind 9.2.X exploit???"
- Maybe in reply to: Joseph: "Surge of attacks on ports 61127 & 61134"
- Next in thread: Alexandru Balan: "Re: Bind 9.2.X exploit???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
