[Dshield] port scans 32769 to 33718

Johannes B. Ullrich jullrich at sans.org
Fri Dec 26 18:00:21 GMT 2003


>   152.20.240.35|         373   | dcc.uncw.edu
>   137.118.60.88|         373   | dccpub1.neonova.net
>  209.157.153.22|         373   | dcc.meer.net
>   38.144.80.234|         371   | dcc.servercave.com
> 207.195.195.223|         371   | dcc3.sihope.com
>   153.19.44.252|         366   | 

Two hints:
- about half of the hosts you see in this list have a hostname 
  like 'dcc.*'.
- Looking at the reports in details, it looks like most of them
  use a source port of 6277.

"DCC" is short for "Distributed Checksum Clearinghouse". Its a 
network of servers/clients that compare checksums for email
messages and try to identify spam. They usually connect on port
6277.

Did you install a spam filter recently? it kind of looks
like you connected to one of these systems and are blocking
the response.

The other option is that someone is DDOS'ing them and you are
seeing the backscatter as they happen to use your IP address.





> 
> All the scans are UDP from 32769 through 33718. 
> I have gotten more today. This just started. Up until yesterday I have 
> never seen these scans. I do occasionally get scanned but not this 
> range and from so many different IP addresses during one day. I suspect
>  this must be some organized search. Most likely a worm or trojan. Has 
> no one else seen this during the last couple of days?
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031226/67abe0ad/attachment.bin


More information about the list mailing list