[Dshield] Re: list Digest, Vol 12, Issue 34

Barton L. Phillips admin at bartonphillips.com
Sun Dec 28 02:10:37 GMT 2003


You got it. I have DCC and others. I restarted my Linux box after a 
kernel update and forgot I hadn't saved the ipchains info. I had added 
the DCC (etc) so they could get through my firewall.

Thanks for the heads up. I would have been scratching my head for quite 
a while on this one.

>
> ------------------------------------------------------------------------
>
> Subject:
> Re: [Dshield] port scans 32769 to 33718
> From:
> "Johannes B. Ullrich" <jullrich at sans.org>
> Date:
> Fri, 26 Dec 2003 13:00:21 -0500
> To:
> General DShield Discussion List <list at dshield.org>
>
>
>>  152.20.240.35|         373   | dcc.uncw.edu
>>  137.118.60.88|         373   | dccpub1.neonova.net
>> 209.157.153.22|         373   | dcc.meer.net
>>  38.144.80.234|         371   | dcc.servercave.com
>>207.195.195.223|         371   | dcc3.sihope.com
>>  153.19.44.252|         366   | 
>>    
>>
>
>Two hints:
>- about half of the hosts you see in this list have a hostname 
>  like 'dcc.*'.
>- Looking at the reports in details, it looks like most of them
>  use a source port of 6277.
>
>"DCC" is short for "Distributed Checksum Clearinghouse". Its a 
>network of servers/clients that compare checksums for email
>messages and try to identify spam. They usually connect on port
>6277.
>
>Did you install a spam filter recently? it kind of looks
>like you connected to one of these systems and are blocking
>the response.
>
>The other option is that someone is DDOS'ing them and you are
>seeing the backscatter as they happen to use your IP address.
>
>
>
>
>
>  
>
>>All the scans are UDP from 32769 through 33718. 
>>I have gotten more today. This just started. Up until yesterday I have 
>>never seen these scans. I do occasionally get scanned but not this 
>>range and from so many different IP addresses during one day. I suspect
>> this must be some organized search. Most likely a worm or trojan. Has 
>>no one else seen this during the last couple of days?
>>    
>>
-- 
----------------
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com





More information about the list mailing list