[Dshield] Traffic on 1025, 6129, 2745, 80, 3127

Shawn Cox shawn.cox at pcca.com
Thu Apr 1 15:46:20 GMT 2004


I should have been a little more careful about the description I provided.

Here's my daily summary for yesterday.  I was just really surprised to see 3500+ hosts start attacking in such a short time frame.
My previous days submissions was a mere 47,000 packets for the whole day.
Each of the 3500 IP's attacked the ports 1025, 6129, 2745, 80, 3127 in that order.  I guess with 3127 in there it must be some form of MyDoom.


      Port Packets Sources Targets Service Name 
      2745 106883 3459 445 urbisnet   URBISNET   
      1025 102081 3429 445 blackjack   network blackjack   
      6129 94400 3309 445 dameware   Dameware Remote Admin   
      3127 64061 2042 445 mydoom   W32/MyDoom, W32.Novarg.A backdoor   
            


All the alert whistles started going off...  
The traffic is back to normal now, here's my 24hours syslog graph.

http://www.pcca.com/shawncox/syslog.jpg


--Shawn


----- Original Message ----- 
From: "Micheal Patterson" <micheal at tsgincorporated.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, March 31, 2004 4:18 PM
Subject: Re: [Dshield] Traffic on 1025, 6129, 2745, 80, 3127 


> 
> 
> ----- Original Message ----- 
> From: "Shawn Cox" <shawn.cox at pcca.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Sent: Wednesday, March 31, 2004 1:01 PM
> Subject: [Dshield] Traffic on 1025, 6129, 2745, 80, 3127
> 
> 
> > 2004-03-31 10:58:45 Local4.Error lbkrtr-ciscopix-int Mar 31 2004 10:58:13:
> > %PIX-3-106011: Deny inbound (No xlate) tcp src outside:12.25.200.5/48566
> dst
> > outside:216.167.162.144/1025
> > 2004-03-31 10:58:45 Local4.Error lbkrtr-ciscopix-int Mar 31 2004 10:58:13:
> > %PIX-3-106011: Deny inbound (No xlate) tcp src outside:12.25.200.5/48573
> dst
> > outside:216.167.162.144/6129
> > 2004-03-31 10:58:45 Local4.Error lbkrtr-ciscopix-int Mar 31 2004 10:58:13:
> > %PIX-3-106011: Deny inbound (No xlate) tcp src outside:12.25.200.5/48562
> dst
> > outside:216.167.162.144/2745
> > 2004-03-31 10:58:45 Local4.Error lbkrtr-ciscopix-int Mar 31 2004 10:58:13:
> > %PIX-3-106011: Deny inbound (No xlate) tcp src outside:12.25.200.5/48575
> dst
> > outside:216.167.162.144/80
> > 2004-03-31 10:58:45 Local4.Error lbkrtr-ciscopix-int Mar 31 2004 10:58:13:
> > %PIX-3-106011: Deny inbound (No xlate) tcp src outside:12.25.200.5/48568
> dst
> > outside:216.167.162.144/3127
> >
> >
> > I started getting pounded with this around 10:20 am central time.  I've
> > logged 200,000 since then on 448 IP's. Any idea what it is?
> >
> > I'm sorry I don't have the authority to do any captures.
> >
> > --Shawn
> >
> 
> Port 1025:  21526 hits today
> Port 6129:  14933 hits today
> Port 2745:  23548 hits today
> Port 3127:  26621 hits today
> 
> --
> 
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
> 
> Confidentiality Notice:  This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


More information about the list mailing list