[Dshield] Log ID and Template question...

Tom Geairn TGeairn at unxpres.com
Mon Jul 23 16:30:46 GMT 2001


In addition to IRC, the MS Exchange Chat client uses 6667 on the client end.
Possibly Chat clients trying to connect to your ip 206.126.3.14.  

A quick review of the ip's you listed shows that two of them are running irc
servers and one is acting like an irc client (or an mschat client, can't
tell).  

Since most of these addresses have junk SOA records (for instance,
129.250.240.197 is in a block of addresses used by mdsog.net...
RP=root at register.com, good luck getting to them), if the traffic is becoming
a problem, you can *try* to get your ISP to block 6667 traffic on their end.
My ISP (Intermedia) has been very cooperative in setting filters on their
end of my poor frame-relay pipes.

-tom geairn


-----Original Message-----
From: Dan Stetser [mailto:dan at pacinternet.com]
Sent: Sunday, July 22, 2001 5:04 PM
To: dshield at dshield.org
Subject: [Dshield] Log ID and Template question...


Does anyone recognize what these ip's are trying to do w/ my server?

Jul 22 09:04:44 pohakea kernel: Packet log: input REJECT eth0 PROTO=6 
129.250.240.197:6667 206.126.3.14:62539 L=40 S=0x00 I=19378 F=0x4000 T=54
Jul 22 09:27:35 pohakea kernel: Packet log: input REJECT eth0 PROTO=6 
194.47.161.38:6667 206.126.3.14:62711 L=40 S=0x00 I=19059 F=0x4000 T=37
Jul 22 09:12:33 pohakea kernel: Packet log: input REJECT eth0 PROTO=6 
195.159.0.91:6667 206.126.3.14:62623 L=40 S=0x00 I=22974 F=0x4000 T=43
Jul 22 09:21:51 pohakea kernel: Packet log: input REJECT eth0 PROTO=6 
207.96.122.252:6667 206.126.3.14:62640 L=44 S=0x00 I=65459 F=0x4000 T=43
Jul 22 09:03:13 pohakea kernel: Packet log: input REJECT eth0 PROTO=6 
209.116.7.98:6667 206.126.3.14:62537 L=40 S=0x00 I=20764 F=0x4000 T=48
Jul 22 09:37:25 pohakea kernel: Packet log: input REJECT eth0 PROTO=6 
65.161.40.142:6667 206.126.3.14:62726 L=48 S=0x00 I=0 F=0x4000 T=45

I'm not involved w/IRC clients or servers so don't know what's causing this 
traffic?

I'm getting fed up w/ the dozen or so IP's that continue this barrage....

Does anyone know of any abuse templates I could tweak to forward
to the RP's involved?

Thanks

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list