[Dshield] Blaster, or AOL strangeness...

Jason Brooks jbrooks at longwood.edu
Tue Oct 7 20:18:08 GMT 2003


We have been seeing this for at least one month.  I have been in contact 
with someone via another list who works for AOL.  There is nothing valid on 
port 4444 in the entire 205.188.134.xxx class C.  We haven't yet done any 
heavy packet digging, but some preliminary looking shows that AOL IM makes 
some use of 4444 on the client side.  The Sr Net Engineer here has also see 
some port scans that match the pattern of hits we saw on 4444.  The 4444 
destination hits always occurred in patterns of 3 or 4.  They would occur 
in clumps of 3 or 4, sometimes up to 4 times at once, generating  a total 
of 12 to 16 packets per client, on average.  We still don't know what is 
triggering this.  Anyone else...?

Glad we're not the only ones...
Jason Brooks


At 03:31 PM 10/7/2003 -0400, you wrote:
>Since applying filters to port 4444 (Blaster), some unusual entries have 
>shown up.  Local machines are trying to connect to <host>.websys.aol.com 
>on port 4444.  What's up with this?
>
>Examples (munged to RFC1918 space):
>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>205.188.134.233(4444), 2 packets
>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>205.188.134.233(4444), 2 packets
>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>205.188.134.233(4444), 2 packets
>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 
>>205.188.134.233(4444), 1 packet
>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp 172.18.121.247(1727) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp 172.18.121.247(1726) -> 
>>205.188.134.237(4444), 2 packets
>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>205.188.134.234(4444), 2 packets
>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>205.188.134.234(4444), 2 packets
>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp 172.18.17.116(50273) -> 
>>205.188.134.234(4444), 1 packet
>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp 172.18.17.116(50268) -> 
>>205.188.134.234(4444), 8 packets
>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp 172.18.17.116(50269) -> 
>>205.188.134.234(4444), 4 packets
>
>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>205.188.134.237(4444), 1 packet
>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 
>>205.188.134.235(4444), 1 packet
>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>205.188.134.237(4444), 2 packets
>
>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>233.134.188.205.in-addr.arpa domain name pointer ht-s11.websys.aol.com.
>>[jeff at netsyslog jeff]$ host 205.188.134.234
>>234.134.188.205.in-addr.arpa domain name pointer ht-s12.websys.aol.com.
>>[jeff at netsyslog jeff]$ host 205.188.134.235
>>235.134.188.205.in-addr.arpa domain name pointer ht-s13.websys.aol.com.
>>[jeff at netsyslog jeff]$ host 205.188.134.237
>>237.134.188.205.in-addr.arpa domain name pointer ht-s15.websys.aol.com.
>
>Jeff
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796




More information about the list mailing list