[Dshield] what kind of attack is this?

jayjwa jayjwa at atr2.ath.cx
Sat Feb 14 04:32:31 GMT 2004



On Fri, 13 Feb 2004, Guy Barnum wrote:

> I may be overly paranoid but I have what looks like a continuous
> attack/scan running off a win 2000 server.  Looking at the CPU time per

> 1   0.000000 <source left out>  192.27.50.87 UDP       source port: 3036
> destination port: 38293

Not much on the web search engines for port 3036....


> 181  0.763026 <source left out>  192.177.188.90 TCP 	 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 182  0.763050 <source left out>  192.177.188.90 TCP 	 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 183  0.763118 <source left out>  192.177.188.91 TCP 	 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 184  0.763127 <source left out>  192.177.188.91 TCP 	 22560 > epmap

These come back No match found (192.177.188.91...) (whois)..

With this little to go on, I'd say concentrate on finding the offending
process. Do you have lsof on Windows? That is a Unix tool that shows,
basically, what's doing what, as far as processes, ports and open files
are concerned. In the meanwhile, keep it firewalled in and do your
research. Windows tends to have alot of "mystery" processes/outgoing
requests, and people have posted before wondering about this one or that
one. If not lsof, the other tools I'd use here that come to mind are Fresh
Diagnose, 3D_tracert, and Port-Peeker.
Hopefully someone else here will know more. Sorry, that's all I can think
of for now...


-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s+: a- C+++ UL++++ P+ L+++ E- W+++ N++ o- K- w---
O-- M-- V-- PS+++ PE Y PGP+ t- 5- X- R* tv-- b++ DI-- D-
G e h+ r% y--
------END GEEK CODE BLOCK------




More information about the list mailing list