[Dshield] Bizarre Activity Spurt...

Robert Nelson nelsrob at mts.net
Fri Oct 14 02:11:35 GMT 2005


Most odd. Never seen this before...

I just had 232 hits on ports 1025 and 1026, all udp, in 42 seconds. All had
the source port of 7568. All but the first IP listed hit 8 times, port 1025
then 1026, in a one-second burst each. One IP hit 8 times, then the next IP
hit 8 times... Each 1025-1026 pair was at the same time, the next pair from
that IP was 12-15 ms later.

Sorry, no packet captures - router log, on a dynamic IP (had it for a few
days now) on home PC, DSL...

Here's an excerpt

(Timestamps are UTC)
Date      	Time       	Dir	Prot	Rem IP Addr    	R Port	L
Port
2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1025

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1026

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1025

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1026

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1025

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1026

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1025

2005/10/14	01:19:27   	I  	udp 	210.136.160.137	7568  	1026


The following are the source IPs

60.194.34.169
210.136.160.137
139.56.88.62
58.30.28.180
167.23.48.71
218.127.176.192
159.95.86.49
64.84.121.145
15.117.254.235
69.250.168.210
132.100.98.236
217.99.27.38
87.48.146.67
67.7.134.227
141.79.96.227
33.229.60.135
216.1.194.247
211.199.236.44
24.56.69.5
64.123.114.157
220.91.185.239
62.51.114.29
195.183.191.222
38.207.73.87
16.64.122.67
203.88.150.51
214.250.36.28
57.246.77.213
218.124.21.251
208.238.66.130
215.76.93.180

Anybody ever seen anything quite like this?

Robert



More information about the list mailing list