[Dshield] Incessant connection attempt from Chinese IP

Laurent Saplairoles lsaplai at megassistance.com
Fri Aug 19 20:16:44 GMT 2005



On 19 Aug 2005 at 10:02, Brian Dessent wrote:

> Laurent Saplairoles wrote:
> 
> > Since yesterday night (17 Aug) 21h35, my firewall has stopped close
> > to 500 connection attempts from 61.152.96.219. They are all coming
> > from 'high ports': 32991 to 60845 and directed to ports 1026 to 1029
> > 
> > According to the Dshield site
> > http://www.dshield.org/ipinfo.php?ip=61.152.96.219&Submit=Submit
> > this is not the 1st time!
> > 
> > Does anyone know what is operating on that host? Is is malware or an
> > individual scanning and trying to make thru my defenses?
> 
> Sounds like standard run-of-the-mill messenger spam.  This has been
> going on for years and will probably continue to happen as long as
> there are zombie boxes and/or network administrators that don't care
> about abuse reports (i.e. forever.)
> 
> BTW they weren't connection attempts.  The messenger spam is just a
> single UDP packet, and UDP is connectionless anyway.  The spammers
> just blast them out as fast as they can and hope they hit a port (in
> the 102x range) that RPC happens to be listening on.  If you have the
> messenger service disabled (or have a firewall) then it's completely
> irrelevent.
> 
> Brian
> 

Thanks Brian.
This is reassuring. Everything was stopped at the f/w anyway but I rarely see such long 
series.
Point taken: not connection attempts. I just didn't have the detail of the protocol 
available to see that.

Cheers!

-- 
Laurent Saplairoles
IT Manager
www.megassistance.com



More information about the list mailing list