View Full Version : Many hits on 6129
Jooske
January 25th, 2004, 04:15 AM
Noticing at the moment many hits on TCP 6129, originating from port 220 from many different sources.
It could be a remote dameware problem, others say maybe the new sub7.3
Not sure yet. Any information available?
See also this discussion at DSLR forums.
http://www.dslreports.com/forum/remark,8858122~mode=flat
bigc73542
January 25th, 2004, 08:24 PM
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-01/0024.html
these are some of the ip's the probe is coming from
several of the sites I visited seem to think it is a bot.
These are results, since last sunday,
the ip's originating the probe:
2 12.18.102.139
2 129.24.31.243
2 193.175.236.28
2 194.42.22.134
3 195.110.84.82
2 195.199.185.1
2 199.0.194.131
2 204.87.98.143
1 206.135.39.149
2 211.106.27.225
2 212.100.101.200
2 212.234.28.5
4 213.32.96.239
2 217.218.247.3
11 217.232.181.21
2 24.132.39.38
1 24.136.103.158
2 61.133.213.167
2 65.210.193.5
1 66.139.132.122
http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0017.html
CrazyM
January 25th, 2004, 11:01 PM
-{ Quote: " quoting: Jooske link=board=18;threadid=20330;start=0#msg123735 date=1075022133]Noticing at the moment many hits on TCP 6129, ..." }-
Definitely on the rise and currently one of the top ports being scanned. ( InternetStormCenter (http://isc.incidents.org/) ) Not seeing a hole lot myself, compared to others.
-{ Quote: "... originating from port 220 from many different sources." }-
I notice about 30% of the entries in my logs have the source port 220 as well.
I find that interesting, in that this is a service port (imap3). I don't usually see service ports as the source port in scans (one exception being NetBios scans). Will have to wait and see how it plays out.
Regards,
CrazyM
Peaches4U
January 25th, 2004, 11:27 PM
Give a look at this website which may give you some insight ....
http://www.simovits.com/nyheter9902.html
LowWaterMark
January 25th, 2004, 11:36 PM
Hmm, I have several here myself (220/tcp > 6129/tcp). Interestingly enough, I'm on a new dynamic address range today following my last reboot. My ISP has a new block of IP addresses in the newer (69.0.*.*) ranges, and I hit a new class C today not used here before. Usually that means you have little chance of inheriting odd traffic (when you pick up the new IP) since few people have used the address before. But in this case, I'm seeing these, too.
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums