[Dshield] Re: intrusion attempts

Kenneth Coney superc at visuallink.com
Mon Aug 18 18:17:01 GMT 2003


He is not alone.  I blocked my RPC ports over a year or two ago (back when
there was an issue with MS Instant Messenger qm and Lexmark started adding
RPC calls to their printer installation in anticipation of the new XP), and
I am fully patched.  I have been experiencing about 14 attempts a day to
connect to my machine on port 17300 and 1433 TCP and 1434 UDP since
Thursday.  All from different I.P.s.  Two so persistent (3 tries in 48 hr.)
I just went ahead and created a rule to perm. block the IP (I have no idea
who they resolve to, and don't much care as I classify an uninvited
connection as not friendly).  Like most here, I am getting too many port
135 attempts to count (all blocked).  I also get the backdoor trojan
blocked alerts.  (Interestingly enough those normally don't show up in the
Norton Internet Security Firewall log, although they do show up in the
Alert log.)  Like IMC, I am dial up.  I have an updated TDS and scans show
nothing, likewise Norton AV (up to date) shows nothing.  Even AdAware shows
nothing.   The DShield list of dangerous ports is clearly not complete.
There is more going on than just a worm that attacks 135.  My question is
does a variant of that worm attempt to exploit the buffer overflow
vulnerability in 17300, or is that something else sliding under our radar?


Subject:
Re: [Dshield] intrusion attempts
From:
David Hart <DavidHart at TQMcube.com>
Date:
Sun, 17 Aug 2003 16:54:59 -0400
To:
General DShield Discussion List <list at dshield.org>

On Sun, 2003-08-17 at 15:38, lmc wrote:

>> New here.  Don't know if this is appropriate for this list but I don't 
know where to turn.  If innappropriate here I apologize and ask if someone
could please refer me to somewhere that is appropriate?
>>
>> I'm a home user, XP Pro, NIS 2002 firewall and NAV.  Keep firewall and 
AV updated automatically and installed the MS patch in late July that
protects me from the latest security hole that has caused so many problems
this week.  I've run firewall checks this morning at Norton and at Sygate
and all turn out great .  I've scanned for virus with current definitions
from Symantec.  Everything looks great.
>>
>> Here's my problem:
>>

Particularly with a dial-up connection I suspect that you might have a trojan.

Have you tried running Spybot Search & Destroy (Google for an URL)?

BTW, this IS the right list for these issues.
-- Total Quality Management - A Commitment to Excellence Email acceptance
policy: http://www.TQMcube.com/email_policy.html







More information about the list mailing list