port 2295/not again

Discussion in 'other security issues & news' started by snowy, Jan 27, 2003.

Thread Status:
Not open for further replies.
  1. snowy

    snowy Guest

    just notice that my firewall has been hit 140 times on port 2295 ONLY...with one exception hit once on port 135

    well...are we in for another round
     
  2. snowy

    snowy Guest

    Jeepers..I've only been connect for one hour...thats more than 2 hits per second
     
  3. snowy

    snowy Guest

    count now 320 hits......snowman is po'ed
     
  4. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Snowy friend

    Darn evil forces are on their feet nowadays, I wish your puter will be just fine, what is the exact Ip the hits are from ? :mad:

    ^Ari^
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can only find it's in the known ports
    2295 2295/tcp advant-lm Advant License Manager
    2295 2295/udp advant-lm Advant License Manager
    But what that is i don't know. Any ideas?
     
  6. snowy

    snowy Guest

    under heavy attack...now overclocking..resource low....so many of them.....fighting back..had enough...taking names..kicking @ss
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you run TDS? If not, you might like to grab an eval version and open the Network > TCP Port Listen to see what kinds of packets they send you and it will help against Dossing, but make sure the FW is up and tight.
    Maybe it's the same or same kind of worm from this weekend, using just another port now. Are you running an MS SQL server, btw, in case we have to do with the same kind of packets? Just an idea......
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi snowy

    From your logs can you determine a source port? Are they all from the same remote IP?

    Regards,
    CrazyM
     
  9. snowy

    snowy Guest

    its over........the ye ole puter is tired....but un-bowed.
    nearly everything came from Korea......looked like malformed url....and something relating to ssl......
    no.....no servers running.....the source port was 2295 tcp to numerous other tcp ports.....most in the higher range 50000 to 65000........they nearly had the poor ole puter....caught me with most of my security down.....no further attempts are being made at this moment.......this was a very deliberate attack....not of the zombie type....something in-experience users would try...of course this is guessing on my part.....except that experience attackers would have tryed to hide........
    I want to clarify that no attacking was done by my person.....a defensive measure was put in place..of which no further mention will be made.
    going to relax now...the puter is overheated...

    a word of advice to newbes...if ever hit by an attacker immediately SHUT DOWN.............my stubborness was foolish.....very foolish
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sorry, do i understand now it was all FROM port 2295 to various different ports on your side?
    Any specific ports among those?
    Korea you're saying eh? hmmm....
     
  11. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Snowy man

    You should consider to report that attack to the exact ISP [ http://www.dnsstuff.com ]
    I started reporting Spam some time ago and I have to tell I am not sorry at all; 99,9 % less crap ;) Just came 2 of them, I reported for them both. ISP´s has their own ways to make it stop; as well attacks than Spam.

    Nice to hear it´s over and you are alright

    ^Ari^
     
  12. snowy

    snowy Guest

    Jooske

    "from "tcp port 2295 to verious tcp ports



    ARI

    under the circumstances such a massive attack could not have gone un-noticed....there was something very odd about this...just can't place it at the moment......my isp"s pipe surely had to be getting flooded....yet no action was taken...
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Snowman - Don't know whether or not you've ever tried OutPost, but the settings in the screenshot from the "Attack Detection" plug-in can be played with to minimize the effect of the kinds of things you're seeing (I don't see them here). Pete
     

    Attached Files:

  14. snowy

    snowy Guest

    Spy1

    my setting prevent the picture from showing....but will take a look at Outpost....
    really hit me hard yesterday......spent so time on maint...cleaning...tweaking....and lots of checking/scanning....
    Pete I was planning to shut down yesterday...a few more minutes an the computer would have been on its way to storage.....then the attack.......
    the sheer numbers were outrageous...if presented with some free time today more research will be done on this...something about has me un-comfortable...
    thanks for the suggestion
     
Loading...
Thread Status:
Not open for further replies.