[Dshield] port scans 32769 to 33718
Johannes B. Ullrich
jullrich at sans.org
Fri Dec 26 18:00:21 GMT 2003
> 18.104.22.168| 373 | dcc.uncw.edu
> 22.214.171.124| 373 | dccpub1.neonova.net
> 126.96.36.199| 373 | dcc.meer.net
> 188.8.131.52| 371 | dcc.servercave.com
> 184.108.40.206| 371 | dcc3.sihope.com
> 220.127.116.11| 366 |
- about half of the hosts you see in this list have a hostname
- Looking at the reports in details, it looks like most of them
use a source port of 6277.
"DCC" is short for "Distributed Checksum Clearinghouse". Its a
network of servers/clients that compare checksums for email
messages and try to identify spam. They usually connect on port
Did you install a spam filter recently? it kind of looks
like you connected to one of these systems and are blocking
The other option is that someone is DDOS'ing them and you are
seeing the backscatter as they happen to use your IP address.
> All the scans are UDP from 32769 through 33718.
> I have gotten more today. This just started. Up until yesterday I have
> never seen these scans. I do occasionally get scanned but not this
> range and from so many different IP addresses during one day. I suspect
> this must be some organized search. Most likely a worm or trojan. Has
> no one else seen this during the last couple of days?
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031226/67abe0ad/attachment.bin
More information about the list