[Dshield] Incessant connection attempt from Chinese IP

Brian Dessent brian at dessent.net
Fri Aug 19 17:02:51 GMT 2005


Laurent Saplairoles wrote:

> Since yesterday night (17 Aug) 21h35, my firewall has stopped close to 500 connection
> attempts from 61.152.96.219.
> They are all coming from 'high ports': 32991 to 60845 and directed to ports 1026 to
> 1029
> 
> According to the Dshield site
> http://www.dshield.org/ipinfo.php?ip=61.152.96.219&Submit=Submit this is not the 1st
> time!
> 
> Does anyone know what is operating on that host? Is is malware or an individual
> scanning and trying to make thru my defenses?

Sounds like standard run-of-the-mill messenger spam.  This has been
going on for years and will probably continue to happen as long as there
are zombie boxes and/or network administrators that don't care about
abuse reports (i.e. forever.)

BTW they weren't connection attempts.  The messenger spam is just a
single UDP packet, and UDP is connectionless anyway.  The spammers just
blast them out as fast as they can and hope they hit a port (in the 102x
range) that RPC happens to be listening on.  If you have the messenger
service disabled (or have a firewall) then it's completely irrelevent.

Brian


More information about the list mailing list