[Dshield] Bizarre Activity Spurt...

Pete Cap peteoutside at yahoo.com
Sat Oct 15 02:47:12 GMT 2005


Robert Nelson <nelsrob at mts.net> wrote:Well, a little look-see shows these little bursts of activity at 4 hours, 13
minutes apart, a total of 5 spurts. The source ports changes on each new
spurt, but remains the same for the duration of the spurt. So I should be
seeing another rash of these in about 9 minutes... 

Yessirree Bob, right on time. 20 hits each from 8 different addresses
(spoofed of course) for a total of 160 hits. All from port 52624 this time.

Robert
 
Robert,
 
Would you mind terribly providing the timestamp and port for the first event in each "burst?"
 
Since changing your IP did not alter the signal at all, I see two possibilities:
1. You entire network (ISP's network) is getting spammed, and you don't have the resolution (precision of timestamps) to notice the time difference.  It's not you, it's you and everyone near you.
2. You might have some kind of beaconing malware on your hands which is telling the Bad Guy what your IP is.  I would need full packet captures for a few days to determine if this is the case.
 
If you wish, I can show you how to perform the Fourier analysis using R.
 
Regards,
 
Pete

		
---------------------------------
 Yahoo! Music Unlimited - Access over 1 million songs. Try it free.


More information about the list mailing list