[Dshield] Blaster, or AOL strangeness...

Jeff Kell jeff-kell at utc.edu
Tue Oct 7 19:31:24 GMT 2003


Since applying filters to port 4444 (Blaster), some unusual entries have 
shown up.  Local machines are trying to connect to <host>.websys.aol.com 
on port 4444.  What's up with this?

Examples (munged to RFC1918 space):
> Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 205.188.134.233(4444), 1 packet
> Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 205.188.134.233(4444), 1 packet
> Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 205.188.134.233(4444), 1 packet
> Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 205.188.134.233(4444), 1 packet
> Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 205.188.134.233(4444), 2 packets
> Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 205.188.134.233(4444), 2 packets
> Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 205.188.134.233(4444), 2 packets
> Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 205.188.134.233(4444), 1 packet
> Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 205.188.134.233(4444), 1 packet
> Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 205.188.134.237(4444), 1 packet
> Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) -> 205.188.134.237(4444), 1 packet
> Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 205.188.134.237(4444), 2 packets
> Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 205.188.134.234(4444), 1 packet
> Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 205.188.134.234(4444), 1 packet
> Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 205.188.134.234(4444), 2 packets
> Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 205.188.134.234(4444), 2 packets
> Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 205.188.134.234(4444), 1 packet
> Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 205.188.134.234(4444), 1 packet
> Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) -> 205.188.134.234(4444), 1 packet
> Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 205.188.134.234(4444), 8 packets
> Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 205.188.134.234(4444), 4 packets

> Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) -> 205.188.134.237(4444), 1 packet
> Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 205.188.134.237(4444), 1 packet
> Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 205.188.134.235(4444), 1 packet
> Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 205.188.134.237(4444), 2 packets

> [jeff at netsyslog jeff]$ host 205.188.134.233
> 233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
> [jeff at netsyslog jeff]$ host 205.188.134.234
> 234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
> [jeff at netsyslog jeff]$ host 205.188.134.235
> 235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
> [jeff at netsyslog jeff]$ host 205.188.134.237
> 237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.

Jeff





More information about the list mailing list