[Dshield] Bizarre Activity Spurt...

Bo Nordgren bo at nordgren.net
Fri Oct 14 08:14:27 GMT 2005


> I just had 232 hits on ports 1025 and 1026, all udp, in 42 seconds. All had
> the source port of 7568. All but the first IP listed hit 8 times, port 1025
> then 1026, in a one-second burst each. One IP hit 8 times, then the next IP
> hit 8 times... Each 1025-1026 pair was at the same time, the next pair from
> that IP was 12-15 ms later.

I am way out on thin ice here but I have seen something like that but not on that scale.
My take on it was that it is probably a BotNet gunning for an exploit but it isn't a
good explanation unless they are a but behind since my box is running Linux. On the
other hand people still try to logon as Administrator so who can tell.
Out of the 4 IP's that I have only the lowest got the hits so at least it wasn't a scan.
There were also no alerts from snort.



More information about the list mailing list