[Dshield] Scans on port 3659?

Andre Costa brblueser at uol.com.br
Sun Nov 10 17:04:40 GMT 2002


Hi Ed,

usually, I get the same IP (200.255.184.111), but sometimes DHCP assigns
me a different one (right now it is 200.255.184.241). So, to make a long
story short, yes, it is dynamic.

This (using the IP of a former game server) would indeed be a reasonable
explanation for all this probing. I will try rejecting these connections
with tcp-reset to see what happens.

... or maybe I won't: it's been almost two days already port 3659
remains calm on my machine. Maybe whatever was happening ended, for some
reason (maybe dsl.telesp.net.br admin read my msg and took same action).
I will keep my eyes opened, though.

Thks again for the insights.

Best,

Andre

On Sun, 10 Nov 2002 07:01:06 -0600
"Ed Truitt" <ed.truitt at etee2k.net> wrote:

> It might.  Just curious, are you on a dynamic IP address, or a static
> one? Quite often, we find here that if you are on a dynamic IP, when
> your address changes you start getting "probed" by machines trying to
> re-connect to services (P2P, games, etc.) provided by the previous
> holder of the IP.  No malicious hacktivity, no sneaky attacks, just
> good old cruft...
> 
> Cheers,
> Ed Truitt
> PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
> http://www.etee2k.net
> http://www.bsatroop148.org
> 
> "Note to spammers:  my 'delete' key is connected to YOUR ISP.
>  Also, if you send me UCE, I reserve the right to post your spew
> on my Web site, with the appropriate color commentary, so that
> others may have a good laugh at your expense."
> 
> ----- Original Message -----
> From: "Andre Costa" <brblueser at uol.com.br>
> To: <list at dshield.org>
> Sent: Saturday, November 09, 2002 10:39 AM
> Subject: Re: [Dshield] Scans on port 3659?
> 
> 
> > Ahhh... "live and learn" ;) Sorry for the paranoia... those
> > networking classes took place too long ago, think I'd better review
> > a few concepts;)
> >
> > I had done a reverse lookup on the IP which linked it to this
> > dsl.telesp.net.br. I even tried to contact them asking for
> > explanations, but am still waiting for a reply.
> >
> > Regarding the connections attempts, would it help if instead of
> > dropping the requests I reject them with tcp-reset?
> >
> > Thks again for the help,
> >
> > Andre

-- 
Andre Oliveira da Costa




More information about the list mailing list