[Dshield] which ports does labrea like?

Ed Truitt ed.truitt at etee2k.net
Sun Mar 17 20:10:52 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since I put LaBrea up (8 virtual machines), most of the probes have
come to Port 80.  However, I have tarpitted folks coming in to a
variety of ports, as can be seen below:

Target ports
============
24452:    17
  515:    12
  512:     9
   80:  2062
  445:     2
  111:   145
 1524:     3
   53:    12
 8080:     9
 6112:    10
 1080:    27
   22:    30
   21:   185
   23:     9
  139:     2
   25:     1

I am particularly fond of the one that hit port 25 - hopefully, that
sucker was a major spam run - NOT! :^)

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP. 
 Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."


- ----- Original Message ----- 
From: "Erick Brockway" <ebrockway at earthlink.net>
To: <list at dshield.org>
Cc: <pobox2 at pinn.net>
Sent: Sunday, March 17, 2002 12:01 PM
Subject: RE: [Dshield] which ports does labrea like?


> I was under the impression it listened on port 80, since that's the
> nature of nimda and code red attacks. Every connection I've seen
> was on 80. 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPJT4SNuunCUC+Qq5EQLnUgCdHiwntClpeqZ/nskQGN0YZeuJILQAoLvw
hLh4gnraBOrHzNlHHrzKiFwD
=AuwA
-----END PGP SIGNATURE-----




More information about the list mailing list