[Dshield] 1214 (Kazaa) multiple hits & 80 as well

Ed Truitt ed.truitt at etee2k.net
Fri Jun 21 11:35:52 GMT 2002


Does your ISP supply dynamic (DHCP) addresses, or static?  If the former, it
may explain (partially) your getting hit with the KaZaA probes - this is
quite common on dynamically-allocated IPs.

As far as the port 80 probes, again if the addresses are assigned
dynamically, then it is quite possible for the same attacker to have
different IPs.  At least one of the DSL providers has been known to change
IPs while the machines are connected (I don't know *how* they accomplish it,
though.)

Regards,
-EdT.

----- Original Message -----
From: Mercy
To: DS mailing list
Sent: Thursday, June 20, 2002 5:40 PM
Subject: [Dshield] 1214 (Kazaa) multiple hits & 80 as well


I know that port 1214 is a Kazaa port.  But, this same IP address has been
hiting me on that port for 2 days now!  This is just from today, from the
last time I sent my log in.

Funny thing is, I don't run Kazaa or any other File Sharing utilities.  Just
wonder what he's up to?

[snip]

Then..... This guy keeps scanning port 80.  The IP is very close to mine.
Notice that the attacker's ip changes from 165.247.115.148 to 165.247.88.159
and other 165.247.xx.xxx variations.  DO you think it is the same person?

[snip]

What do you guys think?

Mercy


Mercy




More information about the list mailing list