[linux-help] Re: Port 18593 attacks

[bbales <bbales@xxxxxxx>]

Unplugging the modem didn't change the IP address.  Cox is trying to change 
it, but the method for doing it is not readily available to them.

The modems have a 12 hour lease time, so the easiest way is to shut it off for  
24 hours and you will get a new IP address.  Or find out when your lease is 
up and shut it off for 12 hours.  (Mine is up at 5:50 so if they can't reset 
it at Cox, I will unplug about 5:30 and leave it over night.)

They are trying to be very helpful.  I have always had super support from Cox 
except for the "We don't support Linux," bit.
bruce

On Monday 02 August 2004 07:12, you wrote:
> Powering the cable modem off for 2-5 minutes and rebooting may not give
> you a new ip address with cox dhcp server.  Even the tech support staff
> are unable to release & renew your ip address from the cox dhcp server.
>   It may have to be released and renewed by a supervisor at cox.  I will
> check on that.  ~Anne
>
> Jonathan Hall wrote:
> > Sounds like a bunch of port scans.  I'm not sure what method there might
> > be to the apparant madness, though.
> >
> > Do you have a static IP address?  If not, do you continue to experience
> > the attacks after your IP changes?  It looks like you use Cox... I would
> > suggest powering off you cable modem for 2-5 minutes, then powering it
> > back on. That should force a new IP address.  Then see if the apparant
> > attacks continue.
> >
> > It may be that someone (or many someones) found your IP address some
> > where (e-mail header, usenet posting, IRC logs... whatever), and whatever
> > mechanism is attacking you (whether it be an individual or, probably more
> > likely, some automated attack brought on by a trojan horse/virus on some
> > unsuspecting person/people's computers) is continuing to attack that
> > address.
> >
> > I had an instance several years ago where one of my IP addresses was
> > being attacked after I had connected to a certian IRC network from that
> > IP address.  A number of IPs then began attacking that IP address for
> > days.  By changing IP addresses, the attacks then fail, and so long as
> > the target IP address is not again visible to the would-be attackers, the
> > attacks can not begin again.
> >
> > -- Jonathan
> >
> >
> > ----- Original Message -----
> > From: "bbales" <bbales@xxxxxxx>
> > To: <linux-help@xxxxxxxxx>
> > Sent: Sunday, August 01, 2004 8:35 PM
> > Subject: [linux-help] Re: Port 18593 attacks
> >
> >>No - In one bunch of 916 hits there were 110 different addresses.  38
> >> were
> >
> > to
> >
> >>UDP, the rest to TCP.  Usually hits an address/port combination two to
> >
> > four
> >
> >>times and then switches.  Sometimes switches address and port in less
> >> than
> >
> > a
> >
> >>second (two hits with the same time-stamp.)  Most source ports are four
> >>digit, the rest are five digit.
> >>
> >>A sort on source addresses shows several addresses used quite a few
> >> times. 24.161.87.199 used 64 times with 16 different ports, each port
> >> used
> >
> > exactly
> >
> >>four times.
> >>24.167.68.48 used 30 times, five different ports, each used exactly six
> >
> > times.
> >
> >>68.113.250.214  24 times, 8 different ports, each used exactly three
> >
> > times.
> >
> >>68.47.163.14  26 times, nine different ports, all but one used three
> >> times
> >
> > and
> >
> >>on used twice.
> >>144.137.113.30 used 81 times with about 78 different ports.
> >>217.226.110.2 used 106 times with ports used mostly three or four times.
> >>
> >>I'm sure that's more information than anyone wants.
> >>bruce
> >>
> >>On Sunday 01 August 2004 01:12, you wrote:
> >>>I am not aware of any server/software that uses TCP port 18593.  Do the
> >>>attacks appear to be originating from any particular sources?
> >>>
> >>>----- Original Message -----
> >>>From: "bbales" <bbales@xxxxxxx>
> >>>To: <linux-help@xxxxxxxxx>
> >>>Sent: Saturday, July 31, 2004 9:52 PM
> >>>Subject: [linux-help] Port 18593 attacks
> >>>
> >>>>During the past week my Frazier Firewall has been turning away
> >
> > thousands
> >
> >>>of
> >>>
> >>>>attempts at port 18593.  Some times as many as 245 in one hour.  In
> >
> > the
> >
> >>>past
> >>>
> >>>>when I had a large number of hits on one port, I could find something
> >>>
> >>>about
> >>>
> >>>>it from Symantec or some forum on the web.  This time no-one is
> >
> > reporting
> >
> >>>>anything about port 18593.
> >>>>
> >>>>It seems to be overwhelming the firewall logging facilities as the
> >
> > daily
> >
> >>>email
> >>>
> >>>>only reports the last six or eight hours.
> >>>>
> >>>>Anyone have any clues about this?
> >>>>bruce
> >>>>
> >>>>
> >>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>>
> >>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>
> >>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi