[Dshield] Please help

Keith Smith keith.smith at keiths-place.com
Tue Oct 30 13:46:49 GMT 2001


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William,

> For the past 2 weeks it seems that I've been 'under attack'
> by users from my own ISP.
> In the last 7 days alone, I have been targeted 500+ times
> by 24.202.X.X
> 
> [snip]
> 
> As you can see, all of them involve target port 80 (HTTP),
> other ports targeted are : 111, 137, 139, 445
> and for the last few days port 27374 (about 50 times).
> 
> I wrote my ISP (Videotron Ltd) about this last week, but

Well, I wouldn't say 500+ probes is normal for a private user, but I
think it's possible.

Some trojans (most notably Sub7) do scanning on behalf, so the owner
of an infected machine might not be aware that they are scanning
computers around them.  Sub7 also has a preference for scanning
computers on the same subnet (about 50% of the time IIRC).  So I
think that you have a few infected computers near you.

As for the number of probes, well I'm not from Canada, but with a
name like Videotron I'm guessing that it's a cable company and that
you and most of the other people on your subnet have full time
connections to the net.  If that's the case 500 probes in 7 days
doesn't seem too high.

In any case, your ISP has to take some action.


Regards,
Keith.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO96vSb0tREWslyrAEQLQzQCeJ6us6gjoNr5HA3f2ZGMyb4sTCMwAoPiw
00r0sEDHyotRwNuXdiIo3kXm
=TujZ
-----END PGP SIGNATURE-----




More information about the list mailing list