If I remember correctly, 31337 is the chosen port for sub seven (one of the
versions). For those who are more familliar with sub seven, might this be
some kind of scan from the control side of the software randomly scannig for
infected machines? Just curious..... I know this is a firewalls list and not
a sub seven list, but I'm hoping it's a valid question......
> -----Original Message-----
> From: Dave Horsfall [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 31, 2001 9:49 PM
> To: Firewalls List
> Subject: Re: Probe from 255.255.255.255?
>
> Thanks for the responses.
>
> Curious, I went back through my logs (I really must hook up a back-end
> DB some time to look for trends) and found these:
>
> Apr 26 12:48:58 denied tcp 255.255.255.255(31337) -> XXX.75(515), 1
> packet
> Apr 26 23:35:41 denied tcp 255.255.255.255(31337) -> XXX.20(515), 1
> packet
> Apr 30 07:36:24 denied tcp 255.255.255.255(31337) -> XXX.46(515), 1
> packet
> Apr 30 14:46:05 denied tcp 255.255.255.255(31337) -> XXX.182(515), 1
> packet
> May 9 02:22:02 denied tcp 255.255.255.255(31337) -> XXX.46(515), 1
> packet
> May 12 23:43:25 denied tcp 255.255.255.255(31337) -> XXX.28(515), 1
> packet
> May 14 04:10:59 denied tcp 255.255.255.255(31337) -> XXX.200(515), 1
> packet
> May 15 01:22:13 denied tcp 255.255.255.255(31337) -> XXX.43(515), 1
> packet
> May 16 01:01:33 denied tcp 255.255.255.255(31337) -> XXX.229(515), 1
> packet
> May 17 09:18:25 denied tcp 255.255.255.255(31337) -> XXX.58(515), 1
> packet
> May 18 00:40:42 denied tcp 255.255.255.255(31337) -> XXX.3(515), 1 packet
> May 18 13:36:13 denied tcp 255.255.255.255(31337) -> XXX.194(515), 1
> packet
> May 20 16:01:24 denied tcp 255.255.255.255(31337) -> XXX.162(515), 1
> packet
> May 26 11:43:56 denied tcp 255.255.255.255(31337) -> XXX.36(515), 1
> packet
> May 28 17:50:33 denied tcp 255.255.255.255(31337) -> XXX.59(515), 1
> packet
> May 30 06:07:00 denied tcp 255.255.255.255(31337) -> XXX.32(515), 1
> packet
> May 30 07:01:10 denied tcp 255.255.255.255(31337) -> XXX.48(515), 1
> packet
> May 31 10:30:10 denied tcp 255.255.255.255(31337) -> XXX.106(515), 1
> packet
>
> So our script-kiddie has been at this for a while, eh? Fortunately, I've
> got 515 blocked at the router (default deny, of course) which quietly
> drops the packets anyway.
>
> --
> Dave Horsfall CL VK2KFU [EMAIL PROTECTED] Ph: +61 2 9906 3377 Fx: * 9906
> 3468
> (Unix Guru) Pacific ESI, Unit 22, 8 Campbell St, Artarmon, NSW 2065,
> Australia
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
