This showed up on my TDS3 Window:

-{ Quote: "12:20:35 [SubSeven 2.x] Port 27374 - Connection request by 172.134.183.228:1300
12:20:35 [Socket 3] Port 27374 - Connection request by 172.134.183.228:1300 " }-

My firewall also shows that I'm getting a lot of these attempted contacts. And I'm using dial-up. What should a I do?

I the past, my firewall showed that I was getting a lot of these attacks (almost constant), and I did a system recovery because I thought I might have had a Trojan. The attacks lessened for months, then the rate increase again, so I did another system recovery and the attacks became very few again. Now the rate has increased again by a lot, but not as much as the other two times.


TDS3 shows no trojans. Any suggestion about what is happening, and why the attacks decrease after I do a system recovery?

I just had some more attacks. And my firewall isn't picking up any of them.

Here is the list so far:


-{ Quote: "12:20:35 [SubSeven 2.x] Port 27374 - Connection request by 172.134.183.228:1300
12:20:35 [Socket 3] Port 27374 - Connection request by 172.134.183.228:1300
13:04:09 [SubSeven 2.x] Port 27374 - Connection request by 68.237.124.245:50748
13:04:09 [Socket 3] Port 27374 - Connection request by 68.237.124.245:50748
13:15:59 [SubSeven 2.x] Port 27374 - Connection request by 62.131.102.131:4202
13:16:00 [Socket 3] Port 27374 - Connection request by 62.131.102.131:4202
13:17:25 [SubSeven 2.x] Port 27374 - Connection request by 24.82.121.23:4755
13:17:25 [Socket 3] Port 27374 - Connection request by 24.82.121.23:4755 " }-

???

Good ol' AOL:

OrgName: America Online
OrgID: AOL
Address: 22000 AOL Way
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US

NetRange: 172.128.0.0 - 172.191.255.255
CIDR: 172.128.0.0/10
NetName: AOL-172BLK
NetHandle: NET-172-128-0-0-1
Parent: NET-172-0-0-0-0
NetType: Direct Allocation
NameServer: DAHA-01.NS.AOL.COM
NameServer: DAHA-02.NS.AOL.COM
NameServer: DAHA-07.NS.AOL.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-03-24
Updated: 2003-08-08

TechHandle: AOL-NOC-ARIN
TechName: America Online, Inc.
TechPhone: +1-703-265-4670
TechEmail: domains@aol.net

OrgAbuseHandle: AOL382-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-265-4670
OrgAbuseEmail: abuse@aol.net

OrgNOCHandle: AOL236-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-703-265-4670
OrgNOCEmail: noc@aol.net

OrgTechHandle: AOL-NOC-ARIN
OrgTechName: America Online, Inc.
OrgTechPhone: +1-703-265-4670
OrgTechEmail: domains@aol.net

# ARIN WHOIS database, last updated 2003-12-29 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

So it is aol itself, and not a customer doing that?

There have been more requests:


-{ Quote: "13:27:35 [SubSeven 2.x] Port 27374 - Connection request by 67.162.51.66:2375
13:27:35 [Socket 3] Port 27374 - Connection request by 67.162.51.66:2375 " }-

-{ Quote: " quoting: JCC link=board=5;threadid=18597;start=0#msg114598 date=1072820070]
So it is aol itself, and not a customer doing that?

There have been more requests:



" }-

No it is not AOL. With all of AOL's base it is hardly surprising that they have a lot of infected users. I also have been seeing a bunch of these lately, but my firewall (ZA Pro) does stop them, as any good firewall should. Some come from AOL users, I've seen some from Comcast, and just about every other ISP.

If your firewall isn't catching them, thats the first problem to fix.

Hi JCC

It is quite normal to see these types of connection attempts from people scanning for vulnerable systems. It does not mean you are infected in any way. It is best to just let your firewall block them.

It is not AOL itself scanning you, but systems connected to their network. As for the rate of the scans, it is not unusual to see this fluxuate.

Regards,

CrazyM

JCC, Sorry about my frivolous reply earlier I was in a bit of a rush:(
These scans are far too common and as the others have said can be safely ignored.

If you could tie down the exact source (sometimes very difficult) then you could report the offender to their ISP along with a copy of your firewall log.

Steve Gibson of GRC would refer to these scans as "Internet backround radiation" :)

Have a good New Year - Pilli

Did you besides tightening your firewall also set the TDS sockets (upper right corner) on automated configuration? The portscans who break through the firewall find TDS listening on several ports, so that is another wall for them.

If you had been infected a full system scan with a fully updated TDS would have shown the alarm.