[Dshield] Port 135 traffic WAY down?

Kenneth Coney superc at visuallink.com
Sat Oct 4 16:36:34 GMT 2003


It's not just you.  I noticed the same thing in my own logs.  I was 
attributing it at first to the netblocks (mentioned a few days ago in 
another thread) I had ruled in, as they were the majority of the probe 
sources I had been receiving, but some of the netblocks ranges not ruled 
out by me, which had also been doing lots of 135 probes have also decreased 
those probes.  However, I am seeing lots of probes in less common ports in 
the 2400 - 2600 range and some in the 4800 range.  Probes to 27374 have 
also increased.  It could mean people are cleaning and patching their 
machines.  Though I suspect something else is behind the change.  I note 
some of the new probes are coming from machines which also show up on 
Dshield as being some of the same machines that launched the 134 and 445 
floods.  It could be that attackers used the original infections as entry 
points for new viruses, or it could mean whoever was behind the first 
exploits has changed something.


Subject: [Dshield] Port 135 traffic WAY down?
From: "Nels Lindquist" <nlindq at maei.ca>
Date: Fri, 03 Oct 2003 10:47:58 -0600
To: list at dshield.org

Is it just me, or has port 135 traffic dropped off significantly
since October 1?  I hadn't read anything about Blaster having a
poison pill, but port 135 hits have dropped by an order of magnitude.

Could be our ISP is finally filtering, but I'm wondering what
everyone else is seeing.  The DShield graph isn't quite fine-grained
enough to tell...

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.







More information about the list mailing list