[linux-help] Re: Port 18593 attacks

["Jonathan Hall" <flimzy@xxxxxxxxxx>]

That's because there is no way to release an IP addres without direct access
to the DHCP server, and to give that to all tech support would be a security
violation without purpose.

However, powering off the modem will (typically) do this.  It is also
possible for the client to explicitly release the IP address.  Depending on
your modem's version and features, it may be possible to do this without
rebooting.

-- Jonathan


----- Original Message -----
From: "ironrose" <ironrose@xxxxxxx>
To: <linux-help@xxxxxxxxx>
Sent: Monday, August 02, 2004 7:12 AM
Subject: [linux-help] Re: Port 18593 attacks


> Powering the cable modem off for 2-5 minutes and rebooting may not give
> you a new ip address with cox dhcp server.  Even the tech support staff
> are unable to release & renew your ip address from the cox dhcp server.
>   It may have to be released and renewed by a supervisor at cox.  I will
> check on that.  ~Anne
>
> Jonathan Hall wrote:
> > Sounds like a bunch of port scans.  I'm not sure what method there might
be
> > to the apparant madness, though.
> >
> > Do you have a static IP address?  If not, do you continue to experience
the
> > attacks after your IP changes?  It looks like you use Cox... I would
suggest
> > powering off you cable modem for 2-5 minutes, then powering it back on.
> > That should force a new IP address.  Then see if the apparant attacks
> > continue.
> >
> > It may be that someone (or many someones) found your IP address some
where
> > (e-mail header, usenet posting, IRC logs... whatever), and whatever
> > mechanism is attacking you (whether it be an individual or, probably
more
> > likely, some automated attack brought on by a trojan horse/virus on some
> > unsuspecting person/people's computers) is continuing to attack that
> > address.
> >
> > I had an instance several years ago where one of my IP addresses was
being
> > attacked after I had connected to a certian IRC network from that IP
> > address.  A number of IPs then began attacking that IP address for days.
By
> > changing IP addresses, the attacks then fail, and so long as the target
IP
> > address is not again visible to the would-be attackers, the attacks can
not
> > begin again.
> >
> > -- Jonathan
> >
> >
> > ----- Original Message -----
> > From: "bbales" <bbales@xxxxxxx>
> > To: <linux-help@xxxxxxxxx>
> > Sent: Sunday, August 01, 2004 8:35 PM
> > Subject: [linux-help] Re: Port 18593 attacks
> >
> >
> >
> >>No - In one bunch of 916 hits there were 110 different addresses.  38
were
> >
> > to
> >
> >>UDP, the rest to TCP.  Usually hits an address/port combination two to
> >
> > four
> >
> >>times and then switches.  Sometimes switches address and port in less
than
> >
> > a
> >
> >>second (two hits with the same time-stamp.)  Most source ports are four
> >>digit, the rest are five digit.
> >>
> >>A sort on source addresses shows several addresses used quite a few
times.
> >>24.161.87.199 used 64 times with 16 different ports, each port used
> >
> > exactly
> >
> >>four times.
> >>24.167.68.48 used 30 times, five different ports, each used exactly six
> >
> > times.
> >
> >>68.113.250.214  24 times, 8 different ports, each used exactly three
> >
> > times.
> >
> >>68.47.163.14  26 times, nine different ports, all but one used three
times
> >
> > and
> >
> >>on used twice.
> >>144.137.113.30 used 81 times with about 78 different ports.
> >>217.226.110.2 used 106 times with ports used mostly three or four times.
> >>
> >>I'm sure that's more information than anyone wants.
> >>bruce
> >>
> >>
> >>On Sunday 01 August 2004 01:12, you wrote:
> >>
> >>>I am not aware of any server/software that uses TCP port 18593.  Do the
> >>>attacks appear to be originating from any particular sources?
> >>>
> >>>----- Original Message -----
> >>>From: "bbales" <bbales@xxxxxxx>
> >>>To: <linux-help@xxxxxxxxx>
> >>>Sent: Saturday, July 31, 2004 9:52 PM
> >>>Subject: [linux-help] Port 18593 attacks
> >>>
> >>>
> >>>>During the past week my Frazier Firewall has been turning away
> >
> > thousands
> >
> >>>of
> >>>
> >>>
> >>>>attempts at port 18593.  Some times as many as 245 in one hour.  In
> >
> > the
> >
> >>>past
> >>>
> >>>
> >>>>when I had a large number of hits on one port, I could find something
> >>>
> >>>about
> >>>
> >>>
> >>>>it from Symantec or some forum on the web.  This time no-one is
> >
> > reporting
> >
> >>>>anything about port 18593.
> >>>>
> >>>>It seems to be overwhelming the firewall logging facilities as the
> >
> > daily
> >
> >>>email
> >>>
> >>>
> >>>>only reports the last six or eight hours.
> >>>>
> >>>>Anyone have any clues about this?
> >>>>bruce
> >>>>
> >>>>
> >>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>>
> >>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>
> >>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>
> >>
> >
> >
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> >
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>
>

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi