Almost certainly a scan, but probably not a manual one -- think virus, worm or autorooter.
After doing some Googling, it appears as though it's probably (still) Blaster/Welchia or one of their variants: http://cert.uni-stuttgart.de/archive/intrusions/2003/08/msg00209.html HTH, Curtis On Fri March 19 2004 00:46, Shawn wrote: > Maybe it's just a thorough port scan? with some spoofing thrown in to hide > who's doing it? those ports don't look like they would high traffic ports, > but I wouldn't be surprised if the underlying packages that would use them > have some known exploits... > > Shawn > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Shane&Lisa > Sent: Friday, March 19, 2004 12:22 AM > To: CLUG General > Subject: Re: [clug-talk] Firewall taking a beating... > > > Hi Dave, Shawn, Neil, et al > > Thanks for the feedback. > > >>>Just curious if any of you running both Telus and Shaw have ever > >>> compared the amount of unwanted (not sure if that's the correct term) > >>> traffic that you are logging on your firewalls? > > I'm on Shaw and never had this problem until this week > > I've tried to look up some of these ports the firewall is stating. It looks > pretty random to me... > > What do you all think? > > 1902 -- Fujitsu ICL Terminal Emulator Program B > 1144 -- unassigned > 1517 -- Virtual Places Audio control > 1475 -- Taligent License Manager > 1376 -- IBM Person to Person Software > 1161 -- Health Polling > 1657 -- unassigned > 1757 -- cnhrp > 1962 -- BIAP-MP > 1317 -- vrts-ipcserver > 1862 -- techra-server > 1868 -- VizibleBrowser > 1062 -- Veracity > 1355 -- Intuitive Edge > 1314 -- Photoscript Distributed Printing System > 1904 -- Fujitsu ICL Terminal Emulator Program C > 1484 -- Confluent License Manager > 1980 -- PearlDoc XACT > 1081 -- PVUNIWIEN > > I'm not running any services like these (I don't think...)at all but do > they mean anything to anyone? > > Random? Kind of a broken DOS attack? > > Shane > > > I checked my logs after Shane's post - I'm not seeing anything abnormal > > there. Just the usual MSSQL SQL Propogation attacks, ping attacks, etc. > > (gotta luv the abuse Telus allows happening through their networks - > > thank god it stops at my firewall). > > > > Shawn > > > > _______________________________________________ > > clug-talk mailing list > > [EMAIL PROTECTED] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
