Complete.Org: Mailing Lists: Archives: linux-help: August 2004:
[linux-help] Re: Port 18593 attacks
Home

[linux-help] Re: Port 18593 attacks

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: Port 18593 attacks
From: ironrose <ironrose@xxxxxxx>
Date: Mon, 02 Aug 2004 18:48:18 -0500
Reply-to: linux-help@xxxxxxxxx

I talked with Sandy, the lady in charge of Cox security and she 
confirmed what you have found out, that the cable modem needs to be shut 
off for 24 hours or you can shutdown the main computer and on a second 
computer connect to the internet.  Sometimes this process with give you 
a different ip address.  She has had the same ip address for about 2 
years.

Sandy asked if you were able to determine who is port scanning you or 
what isp they are using.  If it is one of cox's customers, then she 
needs to find out and cox will go after them, suspending their service 
or prosecution.  If it is someone who is with another internet service 
provider, then she can forward your log files and that isp so that they 
can deal with the deviant customer.  If you want to send her your log 
files, then COPY & PASTE the logs (not forward them) into an email and 
send them to abuse@xxxxxxx.  Apparently asking people to be nice on the 
internet doesn't work, going after them legally (if enough evidence can 
be gathered and presented in court) is going to be the only way to stop 
the deviant computer users.  ~Anne

bbales wrote:
> Unplugging the modem didn't change the IP address.  Cox is trying to change 
> it, but the method for doing it is not readily available to them.
> 
> The modems have a 12 hour lease time, so the easiest way is to shut it off 
> for  
> 24 hours and you will get a new IP address.  Or find out when your lease is 
> up and shut it off for 12 hours.  (Mine is up at 5:50 so if they can't reset 
> it at Cox, I will unplug about 5:30 and leave it over night.)
> 
> They are trying to be very helpful.  I have always had super support from Cox 
> except for the "We don't support Linux," bit.
> bruce
> 
> On Monday 02 August 2004 07:12, you wrote:
> 
>>Powering the cable modem off for 2-5 minutes and rebooting may not give
>>you a new ip address with cox dhcp server.  Even the tech support staff
>>are unable to release & renew your ip address from the cox dhcp server.
>>  It may have to be released and renewed by a supervisor at cox.  I will
>>check on that.  ~Anne
>>
>>Jonathan Hall wrote:
>>
>>>Sounds like a bunch of port scans.  I'm not sure what method there might
>>>be to the apparant madness, though.
>>>
>>>Do you have a static IP address?  If not, do you continue to experience
>>>the attacks after your IP changes?  It looks like you use Cox... I would
>>>suggest powering off you cable modem for 2-5 minutes, then powering it
>>>back on. That should force a new IP address.  Then see if the apparant
>>>attacks continue.
>>>
>>>It may be that someone (or many someones) found your IP address some
>>>where (e-mail header, usenet posting, IRC logs... whatever), and whatever
>>>mechanism is attacking you (whether it be an individual or, probably more
>>>likely, some automated attack brought on by a trojan horse/virus on some
>>>unsuspecting person/people's computers) is continuing to attack that
>>>address.
>>>
>>>I had an instance several years ago where one of my IP addresses was
>>>being attacked after I had connected to a certian IRC network from that
>>>IP address.  A number of IPs then began attacking that IP address for
>>>days.  By changing IP addresses, the attacks then fail, and so long as
>>>the target IP address is not again visible to the would-be attackers, the
>>>attacks can not begin again.
>>>
>>>-- Jonathan
>>>
>>>
>>>----- Original Message -----
>>>From: "bbales" <bbales@xxxxxxx>
>>>To: <linux-help@xxxxxxxxx>
>>>Sent: Sunday, August 01, 2004 8:35 PM
>>>Subject: [linux-help] Re: Port 18593 attacks
>>>
>>>
>>>>No - In one bunch of 916 hits there were 110 different addresses.  38
>>>>were
>>>
>>>to
>>>
>>>
>>>>UDP, the rest to TCP.  Usually hits an address/port combination two to
>>>
>>>four
>>>
>>>
>>>>times and then switches.  Sometimes switches address and port in less
>>>>than
>>>
>>>a
>>>
>>>
>>>>second (two hits with the same time-stamp.)  Most source ports are four
>>>>digit, the rest are five digit.
>>>>
>>>>A sort on source addresses shows several addresses used quite a few
>>>>times. 24.161.87.199 used 64 times with 16 different ports, each port
>>>>used
>>>
>>>exactly
>>>
>>>
>>>>four times.
>>>>24.167.68.48 used 30 times, five different ports, each used exactly six
>>>
>>>times.
>>>
>>>
>>>>68.113.250.214  24 times, 8 different ports, each used exactly three
>>>
>>>times.
>>>
>>>
>>>>68.47.163.14  26 times, nine different ports, all but one used three
>>>>times
>>>
>>>and
>>>
>>>
>>>>on used twice.
>>>>144.137.113.30 used 81 times with about 78 different ports.
>>>>217.226.110.2 used 106 times with ports used mostly three or four times.
>>>>
>>>>I'm sure that's more information than anyone wants.
>>>>bruce
>>>>
>>>>On Sunday 01 August 2004 01:12, you wrote:
>>>>
>>>>>I am not aware of any server/software that uses TCP port 18593.  Do the
>>>>>attacks appear to be originating from any particular sources?
>>>>>
>>>>>----- Original Message -----
>>>>>From: "bbales" <bbales@xxxxxxx>
>>>>>To: <linux-help@xxxxxxxxx>
>>>>>Sent: Saturday, July 31, 2004 9:52 PM
>>>>>Subject: [linux-help] Port 18593 attacks
>>>>>
>>>>>
>>>>>>During the past week my Frazier Firewall has been turning away
>>>
>>>thousands
>>>
>>>
>>>>>of
>>>>>
>>>>>
>>>>>>attempts at port 18593.  Some times as many as 245 in one hour.  In
>>>
>>>the
>>>
>>>
>>>>>past
>>>>>
>>>>>
>>>>>>when I had a large number of hits on one port, I could find something
>>>>>
>>>>>about
>>>>>
>>>>>
>>>>>>it from Symantec or some forum on the web.  This time no-one is
>>>
>>>reporting
>>>
>>>
>>>>>>anything about port 18593.
>>>>>>
>>>>>>It seems to be overwhelming the firewall logging facilities as the
>>>
>>>daily
>>>
>>>
>>>>>email
>>>>>
>>>>>
>>>>>>only reports the last six or eight hours.
>>>>>>
>>>>>>Anyone have any clues about this?
>>>>>>bruce
>>>>>>
>>>>>>
>>>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>>>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>>>>>
>>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>>>>
>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>>>
>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>>
>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> 
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> 
> 
-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]