[Dshield] Bizarre Activity Spurt...

Robert Nelson nelsrob at mts.net
Fri Oct 14 22:16:47 GMT 2005


Well, a little look-see shows these little bursts of activity at 4 hours, 13
minutes apart, a total of 5 spurts. The source ports changes on each new
spurt, but remains the same for the duration of the spurt. So I should be
seeing another rash of these in about 9 minutes... Changing my IP did not
alter the pattern, either.

I'm quite familiar with seeing the messenger spam. But until last night I'd
never seen it show up in such an intense burst. Makes one wonder why the new
tactic?

No facilities at home here to capture any packets - a lowly cable/dsl
router. But it would be interesting to see what message some bot thinks is
so darned important! ;)

It would be nice to know where the actual sender is, too. It must be all
coming from one machine, as the source port is the same on each attack.

So I take it nobody else has noticed a one-minute blast of over 230 hits on
these two ports? May be a customer of my own ISP...

Robert

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Pete Cap
Sent: October 14, 2005 11:39 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Bizarre Activity Spurt...


Robert Nelson <nelsrob at mts.net> wrote: 
I'm used to seeing the messenger spam - but I've never seen it arrive in a
burst like this before.

It happened again at just after midnight my time and again at 4:46 AM CDT...

Robert

If you do a fourier analysis of this 1025/1026 traffic you will typically
see some really strong periodicities.  It's all automated activity so far as
I can tell, nothing especially complex about it, so I'd have to agree with
the popup spam theory.
 
Regards,
Pete




More information about the list mailing list