[Dshield] Blaster, or AOL strangeness...

john beck jbeck80 at hotmail.com
Tue Oct 7 20:10:55 GMT 2003


You might check those systems for malware, etc, I checked one of the ip 
address are listed in spam block lists, you can check them out at 
http://www.dnsstuff.com/tools/ip4r.ch?ip=205.188.134.233 ( you can see I 
checked on of the ip's)

John


>Since applying filters to port 4444 (Blaster), some unusual entries have 
>shown up.  Local machines are trying to connect to <host>.websys.aol.com on 
>port 4444.  What's up with this?
>
>Examples (munged to RFC1918 space):
>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>205.188.134.233(4444), 2 packets
>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>205.188.134.233(4444), 2 packets
>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>205.188.134.233(4444), 2 packets
>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 
>>205.188.134.237(4444), 2 packets
>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>205.188.134.234(4444), 2 packets
>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>205.188.134.234(4444), 2 packets
>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 
>>205.188.134.234(4444), 8 packets
>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 
>>205.188.134.234(4444), 4 packets
>
>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 
>>205.188.134.235(4444), 1 packet
>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>205.188.134.237(4444), 2 packets
>
>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
>>[jeff at netsyslog jeff]$ host 205.188.134.234
>>234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
>>[jeff at netsyslog jeff]$ host 205.188.134.235
>>235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
>>[jeff at netsyslog jeff]$ host 205.188.134.237
>>237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.
>
>Jeff
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

_________________________________________________________________
Get MSN 8 Dial-up Internet Service FREE for one month.  Limited time offer-- 
sign up now!   http://join.msn.com/?page=dept/dialup




More information about the list mailing list