[unisog] DoS activity: Rapid IP spoofing and TCP port 5999 dest?

Julian Y. Koh kohster at northwestern.edu
Wed Oct 29 12:55:39 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 20:32 -0500 10/28/2003, Clarke Morledge wrote:
>In this particular case, the destination IP was 69.50.166.41, and most of
>the traffic was directed towards TCP 5999.  But we did see some traffic
>going towards a variety of other high number ports, notably 6667,
>presumably an IRC channel?

We had a similar episode a month or so ago.  Turned out to be a whole bunch
of Gaobot/Agobot-infected machines.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: <http://charlotte.at.northwestern.edu/julian/pgppubkey.html>

iQA/AwUBP5+qtQ5UB5zJHgFjEQKADACghCTIBw3QUng689IgKYcZzwIs4jsAn1MI
BnldOyHNMKAxNsI1sf2tUKMl
=UvEk
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                             <mailto:kohster at northwestern.edu>
Network Engineer                                       <phone:847-467-5780>
Telecommunications and Network Services             Northwestern University
PGP Public Key:<http://charlotte.at.northwestern.edu/julian/pgppubkey.html>



More information about the unisog mailing list