[Dshield] What is my ISP doing?

jayjwa jayjwa at atr2.ath.cx
Sat Apr 10 07:21:10 GMT 2004



On Fri, 9 Apr 2004, Steve wrote:


> I recently have been receiving certain incoming probes from my ISP, or what
> I think is my ISP, RoadRunner.
> Can anyone help me understand this?
> dhcp024-210-214-179.woh.rr.com     	1857  	24.161.228.  	3127
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1858  	24.161.228.  	6129
> 2004/04/09	00:28:13   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1850  	24.161.228.  	2745
> 2004/04/09	00:28:07   	I  	24.210.214.179
> dhcp024-210-214-179.woh.rr.com     	1863  	24.161.228.  	80
> 2004/04/09	00:28:07   	I  	24.210.214.179


Looks to me like you're getting probed for worm-backdoors, those are
various worm & exploit holes. 6129 = dameware, 3127 =
mydoom/doomjuice/mydoom uploaders  2745 = Bagle or Netsky

Here's my counts off my last dmesg:

dmesg | grep -i -c dpt=

3127:
30

135:
19

6129:
1

80:
4


Port 3127 is a very active port, mainly because of all the worms and
exploits that use it.

If you're firewalled off and patched up, you should be OK.

-- 
<?sol jayjwa; ?>                         GPG:0xB628B851
SEARCH /++++++++++++++++++We&have&come&for&your&buffer!
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!



More information about the list mailing list