[Dshield] Incessant connection attempt from Chinese IP
brian at dessent.net
Fri Aug 19 17:02:51 GMT 2005
Laurent Saplairoles wrote:
> Since yesterday night (17 Aug) 21h35, my firewall has stopped close to 500 connection
> attempts from 126.96.36.199.
> They are all coming from 'high ports': 32991 to 60845 and directed to ports 1026 to
> According to the Dshield site
> http://www.dshield.org/ipinfo.php?ip=188.8.131.52&Submit=Submit this is not the 1st
> Does anyone know what is operating on that host? Is is malware or an individual
> scanning and trying to make thru my defenses?
Sounds like standard run-of-the-mill messenger spam. This has been
going on for years and will probably continue to happen as long as there
are zombie boxes and/or network administrators that don't care about
abuse reports (i.e. forever.)
BTW they weren't connection attempts. The messenger spam is just a
single UDP packet, and UDP is connectionless anyway. The spammers just
blast them out as fast as they can and hope they hit a port (in the 102x
range) that RPC happens to be listening on. If you have the messenger
service disabled (or have a firewall) then it's completely irrelevent.
More information about the list