[Dshield] What is my ISP doing?

Samantha Fetter sama at snowplow.org
Fri Apr 9 11:16:10 GMT 2004


That doesn't appear to be your ISP.... It seems to be a fellow RR user
who's been compromised by a number of things....
6129 is used by Dameware remote control, 2745 is used by bagle, 1025
by a number of backdoors as well as Active Directory, and 80, well I
think you've got that one.

If you look at the hostname, the dhcp024-210-214-179 portion tells you
that it's an IP/hostname assigned by dhcp.

I recommend sending the logs to RR and see if they'll do anything about
it.

Good luck,
Samantha

On Fri, 9 Apr 2004, Steve wrote:

> I recently have been receiving certain incoming probes from my ISP, or what
> I think is my ISP, RoadRunner.
>
> Can anyone help me understand this?
>
> Thanks.
>
>
> Steve
>
>
> Here is a sample incase the .txt file doesn’t go through.
>
>
>
> Date      	Time       	Dir	Rem IP Addr    	Remote Name
> R Port	Lcl IP Addr    	L Port
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1852  	24.161.228.  	1025
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745
> 2004/04/09	00:28:07   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80
> 2004/04/09	00:28:07   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1852  	24.161.228.  	1025
> 2004/04/09	00:28:07   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127
> 2004/04/09	00:28:07   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129
> 2004/04/09	00:28:07   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745
> 2004/04/09	00:28:04   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80
> 2004/04/09	00:28:04   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129
> 2004/04/09	00:28:04   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127
> 2004/04/09	00:28:04   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1852  	24.161.228.  	1025
> 2004/04/09	00:28:04   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.651 / Virus Database: 417 - Release Date: 04/05/2004
>
>
>




More information about the list mailing list