port 2295/not again

just notice that my firewall has been hit 140 times on port 2295 ONLY...with one exception hit once on port 135

well...are we in for another round

 

Jeepers..I've only been connect for one hour...thats more than 2 hits per second

 

count now 320 hits......snowman is po'ed

 

Snowy friend

Darn evil forces are on their feet nowadays, I wish your puter will be just fine, what is the exact Ip the hits are from ?

^Ari^

 

Can only find it's in the known ports
2295 2295/tcp advant-lm Advant License Manager
2295 2295/udp advant-lm Advant License Manager
But what that is i don't know. Any ideas?

 

under heavy attack...now overclocking..resource low....so many of them.....fighting back..had enough...taking names..kicking @ss

 

Do you run TDS? If not, you might like to grab an eval version and open the Network > TCP Port Listen to see what kinds of packets they send you and it will help against Dossing, but make sure the FW is up and tight.
Maybe it's the same or same kind of worm from this weekend, using just another port now. Are you running an MS SQL server, btw, in case we have to do with the same kind of packets? Just an idea......

 

Hi snowy

From your logs can you determine a source port? Are they all from the same remote IP?

Regards,
CrazyM

 

its over........the ye ole puter is tired....but un-bowed.
nearly everything came from Korea......looked like malformed url....and something relating to ssl......
no.....no servers running.....the source port was 2295 tcp to numerous other tcp ports.....most in the higher range 50000 to 65000........they nearly had the poor ole puter....caught me with most of my security down.....no further attempts are being made at this moment.......this was a very deliberate attack....not of the zombie type....something in-experience users would try...of course this is guessing on my part.....except that experience attackers would have tryed to hide........
I want to clarify that no attacking was done by my person.....a defensive measure was put in place..of which no further mention will be made.
going to relax now...the puter is overheated...

a word of advice to newbes...if ever hit by an attacker immediately SHUT DOWN.............my stubborness was foolish.....very foolish

 

Sorry, do i understand now it was all FROM port 2295 to various different ports on your side?
Any specific ports among those?
Korea you're saying eh? hmmm....

 

Snowy man

You should consider to report that attack to the exact ISP [ http://www.dnsstuff.com ]
I started reporting Spam some time ago and I have to tell I am not sorry at all; 99,9 % less crap Just came 2 of them, I reported for them both. ISP´s has their own ways to make it stop; as well attacks than Spam.

Nice to hear it´s over and you are alright

^Ari^

 

Jooske

"from "tcp port 2295 to verious tcp ports



ARI

under the circumstances such a massive attack could not have gone un-noticed....there was something very odd about this...just can't place it at the moment......my isp"s pipe surely had to be getting flooded....yet no action was taken...

 

Snowman - Don't know whether or not you've ever tried OutPost, but the settings in the screenshot from the "Attack Detection" plug-in can be played with to minimize the effect of the kinds of things you're seeing (I don't see them here). Pete

 

Spy1

my setting prevent the picture from showing....but will take a look at Outpost....
really hit me hard yesterday......spent so time on maint...cleaning...tweaking....and lots of checking/scanning....
Pete I was planning to shut down yesterday...a few more minutes an the computer would have been on its way to storage.....then the attack.......
the sheer numbers were outrageous...if presented with some free time today more research will be done on this...something about has me un-comfortable...
thanks for the suggestion