ZA: Alot of attacks at port 137

hi thehulky1, and welcome

I don't know ik I understand you correctly, but if I see the origin of all those IP's, then they come from all over the world, and I'm sure my ISP isn't THAT big

 

Don't know how it is with you guys, but at the moment i have more port 17300 scans then ever from everywhere in the world, some 500 today already.
17300 is default for the RAT: Kuang2 The Virus
Had them each days, around 10/day, but never this many!

 

Are those packets UDP or TCP?
Dolf

 

Thanks

 

I'm at around 900 now for 17300 scans today, is this really the one i wrote above or are there more using that port today? Lots from Asia.
I'll put my TDS TCP Port Listen on that port to see what happens.....

 

Hi Jooske,

I haven't heard of anything new using 17300 but I have noted previous surges for Kuang2 so it is probably just another surge.

Dan

 

I noticed a 17300 spike on July 26 and a lesser spike July 30. Mostly Asia. But July 26 was the biggest, and that was 12 in all. Geez...nobody wants to go after my 17300 .

 

No for mine neither since around 2 this morning, i even open the gates and have in TDS > Network > TCP Port Listen wide open for them, acting as a server, last night had replies each few seconds, not nothing in several minutes, so they are no longer interested!
Or asleep.
The scans came really from everywhere in the world, did not see a specific pattern although many from Asiatic countries.
On Packestorm it showed a nice peak as well, and also tehre only mentioned the kuan2 virus, so not sure what was this amount yesterday. Over 1100 yeseterday and some 100 after midnight, now it's all silent and it's just thje regular many 137 again.

 

When you open the ports, then there will be no log then, because you don't block them.

Or am I missing something

 

TCP Port listen you can give server rights, so it acts as a server (emulated of course) and IPs trying to connect you see displayed in that window.
Last night i caught several every few seconds.
When you keep silent you just see them connect and close, but if you react in any way in that window you get a reply from them, a data packet. Still innocent, as you're not really infected so it can't do nothing. But to make sure best after that close the connection anyway.
Of course i tried a few times reacting on them and got different filenames which are not on my system each time, so the connections were dropped anyway.
In the fw log is nothing or it should be my own backtraces where i did take that trouble.

Since 2 this morning (so 12 hours now) still none on that port even when i open the listening function, and deep scanning doesn't show me being infected, so maybe the ISP closed that port out.