Really wiered. Really
Results 1 to 7 of 7

Thread: Really wiered. Really

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Really wiered. Really

    Greeting's


    I'm posting this tread in a hurry so forgive any typo's. But port 6881 (unassigned) has been attacked almost 600 time's in last 3 minute's and all IP are from 61-86 and 151-211 range I have never seen this i have called up 2 of my friends who manage a server they are also facing the same problem. I have checked the SANS internet thread level which is still yellow (they started the year off in that level) and symantec's Threatcon which is also yellow. Also most number of ports attacked at ISC shows 6881 is the default port used by Bittorrent.

    Anyone having the same problem ?
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi there ByTeWrangler ,

    No sign of it here, just the usual crap from within my ISP address block for the most part 86-128-xxx-xxx

    Cheers

  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    ...relax, ports 6881-6889 are bittorrent ports. Some PCs out there is looking for a download.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Have you used bittorrent from that box recently of has your IP address changed recently?

    Usually this is the result of file sharing activity or your IP address changing to that which someone else recent;y used for filesharing.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Sorry guys i did not wish everyone of you A very happy, seccessfull and properous new year.

    Coming back to the topic I have redgistered almost 8000 scans to that perticular post in last 35 minutes alone, I checked with my ISP but they have no clue. Almost everyone I know of here WAS having the same problem but they stopped sometime ago. I have never USED bittorrent. I dont know what to do I have already added a rule to my firewall (software based) to block that port but almost. the scans are just not stopping. My IP is the same from last 3 days and when I started this thread I asked for my IP to be changed but the problem continues.. Anyway Ill keep you guys updated....
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Are you on a connection shared through a router with other people??? Are one of them running Bit Torrent?

    I have a machine on the DMZ of the router and a roommate was running BitTorrent... because the connections aren't established by him, the NAT doesn't know how to deal with them properly (or I should say deals with the properly but because of the setup you don't get the desired results)... as a result I get hammered by connection requests for port 6881... It's not uncommon to see.

    Why don't you throw on a sniffer and post the results for us... with a packet to dissect we may be able to assist you further in proving or disproving the BitTorrent association.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Well I went offline for more then 2 hours to check my computer both in normal and in safe mode for any malware. I have found nothing new except "Hacktool.Pwdump" which was first found by Ewido (I should have downloaded this earlier)in a file in my sisters received folder but I think she couldn't install it because I have changed her account's privileges to GUEST (now it strikes me, she was frustrated with the PC saying it just doesn't work. but any ways the fact that it was in received folders means someone sent her that file.)
    Anyway besides that everything is fine. Scans have stopped as mysteriously as they started. Once again Happy new year to all and yes I have direct connection to the Internet.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •