[Dshield] Increased activity

Johannes B. Ullrich jullrich at sans.org
Sun Aug 17 14:47:46 GMT 2003

This message was converted from multipart/signed to ascii armored
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

There is a pronounced increase in port 1026 traffic.
It is expected that popup spammers moved to this port
to bypass port 135 blocks.

On Sun, 2003-08-17 at 09:49, Synergy wrote:
> Hullo - I'm seeing somewhat increased activity here (cox.net, in RI) 
> starting last night, and to a lesser extent on Comcast systems in Kittery 
> ME and Seattle WA.  There are three patterns -- one is scanning from within 
> the local class-B space, but not to port 135, rather a number of ports in 
> the 1000-2000 range.  Here at least these seem to come from remote port 
> 1025.  Second is bursts of scans from port 80 to ports in the 1145-1150 
> range, from IPs that Smartwhois says belong to Akamai.  Third is scans 
> alleging to come from, from port 80 to a number of ports in 
> 1000-2000 range.  There are also a couple of French IPs banging on port 
> 1026...total altogether (here in RI) is maybe 150 or so starting last night.
> regds,
> david
> --
> Synergy <synergx at attglobal.net> - 96 Bolton Ave Suite 2, Providence RI 
> 02908 USA
> 401 274-5827, cell: 401 225-5004, fax: 401 274-4944
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt

Version: GnuPG v1.2.1 (GNU/Linux)



More information about the list mailing list