[Dshield] Port 135 traffic WAY down?
superc at visuallink.com
Sat Oct 4 16:36:34 GMT 2003
It's not just you. I noticed the same thing in my own logs. I was
attributing it at first to the netblocks (mentioned a few days ago in
another thread) I had ruled in, as they were the majority of the probe
sources I had been receiving, but some of the netblocks ranges not ruled
out by me, which had also been doing lots of 135 probes have also decreased
those probes. However, I am seeing lots of probes in less common ports in
the 2400 - 2600 range and some in the 4800 range. Probes to 27374 have
also increased. It could mean people are cleaning and patching their
machines. Though I suspect something else is behind the change. I note
some of the new probes are coming from machines which also show up on
Dshield as being some of the same machines that launched the 134 and 445
floods. It could be that attackers used the original infections as entry
points for new viruses, or it could mean whoever was behind the first
exploits has changed something.
Subject: [Dshield] Port 135 traffic WAY down?
From: "Nels Lindquist" <nlindq at maei.ca>
Date: Fri, 03 Oct 2003 10:47:58 -0600
To: list at dshield.org
Is it just me, or has port 135 traffic dropped off significantly
since October 1? I hadn't read anything about Blaster having a
poison pill, but port 135 hits have dropped by an order of magnitude.
Could be our ISP is finally filtering, but I'm wondering what
everyone else is seeing. The DShield graph isn't quite fine-grained
enough to tell...
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the list