[Dshield] Increased activity

Johannes B. Ullrich jullrich at sans.org
Sun Aug 17 14:47:46 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

There is a pronounced increase in port 1026 traffic.
It is expected that popup spammers moved to this port
to bypass port 135 blocks.

On Sun, 2003-08-17 at 09:49, Synergy wrote:
> Hullo - I'm seeing somewhat increased activity here (cox.net, in RI) 
> starting last night, and to a lesser extent on Comcast systems in Kittery 
> ME and Seattle WA.  There are three patterns -- one is scanning from within 
> the local class-B space, but not to port 135, rather a number of ports in 
> the 1000-2000 range.  Here at least these seem to come from remote port 
> 1025.  Second is bursts of scans from port 80 to ports in the 1145-1150 
> range, from IPs that Smartwhois says belong to Akamai.  Third is scans 
> alleging to come from 127.0.0.1, from port 80 to a number of ports in 
> 1000-2000 range.  There are also a couple of French IPs banging on port 
> 1026...total altogether (here in RI) is maybe 150 or so starting last night.
> 
> regds,
> david
> 
> --
> Synergy <synergx at attglobal.net> - 96 Bolton Ave Suite 2, Providence RI 
> 02908 USA
> 401 274-5827, cell: 401 225-5004, fax: 401 274-4944
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/P5WQR1p7hYJvB/wRAnS2AJ0fFrl5fcadD1rEL1ZPpnXhFPrxaACgsT4A
H0GikFjnHYvXjhXbDMHvcp8Um
-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list