Really wiered. Really

Printable View

January 2nd, 2006, 02:16 PM
ByTeWrangler

Really wiered. Really

Greeting's

I'm posting this tread in a hurry so forgive any typo's. But port 6881 (unassigned) has been attacked almost 600 time's in last 3 minute's and all IP are from 61-86 and 151-211 range I have never seen this i have called up 2 of my friends who manage a server they are also facing the same problem. I have checked the SANS internet thread level which is still yellow (they started the year off in that level) and symantec's Threatcon which is also yellow. Also most number of ports attacked at ISC shows 6881 is the default port used by Bittorrent.

Anyone having the same problem ?
January 2nd, 2006, 02:35 PM
nihil

Hi there ByTeWrangler ,

No sign of it here, just the usual crap from within my ISP address block for the most part :) 86-128-xxx-xxx

Cheers
January 2nd, 2006, 02:46 PM
brokencrow

...relax, ports 6881-6889 are bittorrent ports. Some PCs out there is looking for a download. :)
January 2nd, 2006, 02:53 PM
Tiger Shark

Have you used bittorrent from that box recently of has your IP address changed recently?

Usually this is the result of file sharing activity or your IP address changing to that which someone else recent;y used for filesharing.
January 2nd, 2006, 04:32 PM
ByTeWrangler

Greeting's

Sorry guys i did not wish everyone of you A very happy, seccessfull and properous new year.

Coming back to the topic I have redgistered almost 8000 scans to that perticular post in last 35 minutes alone, I checked with my ISP but they have no clue. Almost everyone I know of here WAS having the same problem but they stopped sometime ago. I have never USED bittorrent. I dont know what to do I have already added a rule to my firewall (software based) to block that port but almost. the scans are just not stopping. My IP is the same from last 3 days and when I started this thread I asked for my IP to be changed but the problem continues.. Anyway Ill keep you guys updated....
January 2nd, 2006, 05:05 PM
HTRegz

Hey Hey,

Are you on a connection shared through a router with other people??? Are one of them running Bit Torrent?

I have a machine on the DMZ of the router and a roommate was running BitTorrent... because the connections aren't established by him, the NAT doesn't know how to deal with them properly (or I should say deals with the properly but because of the setup you don't get the desired results)... as a result I get hammered by connection requests for port 6881... It's not uncommon to see.

Why don't you throw on a sniffer and post the results for us... with a packet to dissect we may be able to assist you further in proving or disproving the BitTorrent association.

Peace,
HT
January 2nd, 2006, 08:47 PM
ByTeWrangler

Greeting's

Well I went offline for more then 2 hours to check my computer both in normal and in safe mode for any malware. I have found nothing new except "Hacktool.Pwdump" which was first found by Ewido (I should have downloaded this earlier)in a file in my sisters received folder but I think she couldn't install it because I have changed her account's privileges to GUEST (now it strikes me, she was frustrated with the PC saying it just doesn't work. but any ways the fact that it was in received folders means someone sent her that file.)
Anyway besides that everything is fine. Scans have stopped as mysteriously as they started. Once again Happy new year to all and yes I have direct connection to the Internet.