Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24
  1. #21
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Redondo Beach, CA
    Oh lots of thoughts:

    - worm activity? (still might be a possibility)

    - trojan activity? (some DDoS/Trojans have encryption methods in them -- nothing says they wouldn't/couldn't use IPSec)

    - misdirected traffic (this is the more likely scenario -- whatever they were connecting to before using Windows built-in VPN and IPSec).

    - misdirected traffic (again, more likely option -- whatever they were connecting to experimenting with IPv6).

    Interesting to say the least.. might want to watch incidents.org and some of the lists to see if others report it. Might also want to forward it to incidents.org to see if they've seen other reports.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #22
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Ms. M: Yeah... the more I think about it the stranger it is.... It's become so annoying that I pulled myself back out of the demil zone to stop the darned thing logging it... It's incessant. I went and checked all the port forwarding etc. to make sure it hadn't been changed, checked the logs etc. at the firewall so it is being blocked, which gets my friend off the hook....

    Actually this IP is getting a ton of traffic on lots of odd ports... Much more than it was before the weekend..... which implies the IP did change and people have picked up on the old "owner" as something of "interest". But the SFLM stuff is multiple per minute from multiple remote addresses right now. Too much for me to be bothered with in some ways..... Interestingly, many of the "attacking" IP's show up as "host down" when they are "investigated".... So there is a certain amount of sophistication going on at the remote location, whether it is by the user or by the software they are using.

    I'll take a look at incidents.org but it'll have to be tomorrow 'cos I need to go home to my sweetie now..... Yeah, I have a "soft" spot.... Let's keep that as another "little secret"...


    Hmmmm... the worm theory you put forward..... It could be explained by a worm that propogates by another port, thus no apparent scan on this one, but it connects via this one to "pick up" it's "little buddy"..... Just a thought....

    Hmmm..... A brain cell kicked in...... WOW

    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #23
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    cali forn i a
    have you had any problems with ur zonealarm blocking the traffic. I remember a bug in ZA where if it recieves and blocks a exceeding number of SYN packets (over a hundred or something i think) it will crash. I'm sure some of u've seen/heard it. Just wonderin if they could somehow tell that u have a zonealarm firewall and r tryin to crash it. Just my guess on what they could be tryin to do...i know its far fetched but a high amount of SYN packets and ur firewall bein ZA u could never know.

  4. #24
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Tiger: I had some log entries in my logs from Oct 28 that show a handfull of attempts inbound from Internet using that TCP port you reported but nothing alarming. But most interestingly I had about 20 entries inbound from Internet (on same TCP port) using internal LAN IP addresses - some were valid others were not.

    I'll watch for any future stuff.

    (Interesting thread you have here)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.