Complete.Org: Mailing Lists: Archives: linux-help: August 2004:
[linux-help] Re: Port 18593 attacks
Home

[linux-help] Re: Port 18593 attacks

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: Port 18593 attacks
From: "John Lucas" <jdlucas@xxxxxxxxxxxx>
Date: Tue, 3 Aug 2004 00:04:00 -0500
Reply-to: linux-help@xxxxxxxxx

In my experience, most DHCP servers base the IPs they assign on the MAC
ADDR. of the CUSTOMER's hardware, not on the MODEM's MAC ADDR.

If you think about it, it's the CUSTOMER's hardware that requests its IP
from Cox's DHCP server, not the modem. The Modem has very little to do with
granting the DHCP lease request.

Many hardware routers give you the option of modifying the MAC Address.  I
have found that if I RELEASE the address assigned to my router, CHANGE the
MAC address of my router by a digit or two, and then RENEW, the DHCP server
will think that I have a new piece of hardware and will assign a different
IP to my router.

So, if you are using your Linux box as the router, the most surefire way to
get a new IP would be to RELEASE the DHCP lease you currently have, swap
network cards (it doesn't matter if it's exactly the same model of card;
every card has a unique MAC address), and then RENEW your lease.

Hope this helps... Good Luck!

--John

----- Original Message ----- 
From: "ironrose" <ironrose@xxxxxxx>
To: <linux-help@xxxxxxxxx>
Sent: Monday, August 02, 2004 6:48 PM
Subject: [linux-help] Re: Port 18593 attacks


> I talked with Sandy, the lady in charge of Cox security and she
> confirmed what you have found out, that the cable modem needs to be shut
> off for 24 hours or you can shutdown the main computer and on a second
> computer connect to the internet.  Sometimes this process with give you
> a different ip address.  She has had the same ip address for about 2
> years.
>
> Sandy asked if you were able to determine who is port scanning you or
> what isp they are using.  If it is one of cox's customers, then she
> needs to find out and cox will go after them, suspending their service
> or prosecution.  If it is someone who is with another internet service
> provider, then she can forward your log files and that isp so that they
> can deal with the deviant customer.  If you want to send her your log
> files, then COPY & PASTE the logs (not forward them) into an email and
> send them to abuse@xxxxxxx.  Apparently asking people to be nice on the
> internet doesn't work, going after them legally (if enough evidence can
> be gathered and presented in court) is going to be the only way to stop
> the deviant computer users.  ~Anne
>
> bbales wrote:
> > Unplugging the modem didn't change the IP address.  Cox is trying to
change
> > it, but the method for doing it is not readily available to them.
> >
> > The modems have a 12 hour lease time, so the easiest way is to shut it
off for
> > 24 hours and you will get a new IP address.  Or find out when your lease
is
> > up and shut it off for 12 hours.  (Mine is up at 5:50 so if they can't
reset
> > it at Cox, I will unplug about 5:30 and leave it over night.)
> >
> > They are trying to be very helpful.  I have always had super support
from Cox
> > except for the "We don't support Linux," bit.
> > bruce
> >
> > On Monday 02 August 2004 07:12, you wrote:
> >
> >>Powering the cable modem off for 2-5 minutes and rebooting may not give
> >>you a new ip address with cox dhcp server.  Even the tech support staff
> >>are unable to release & renew your ip address from the cox dhcp server.
> >>  It may have to be released and renewed by a supervisor at cox.  I will
> >>check on that.  ~Anne
> >>
> >>Jonathan Hall wrote:
> >>
> >>>Sounds like a bunch of port scans.  I'm not sure what method there
might
> >>>be to the apparant madness, though.
> >>>
> >>>Do you have a static IP address?  If not, do you continue to experience
> >>>the attacks after your IP changes?  It looks like you use Cox... I
would
> >>>suggest powering off you cable modem for 2-5 minutes, then powering it
> >>>back on. That should force a new IP address.  Then see if the apparant
> >>>attacks continue.
> >>>
> >>>It may be that someone (or many someones) found your IP address some
> >>>where (e-mail header, usenet posting, IRC logs... whatever), and
whatever
> >>>mechanism is attacking you (whether it be an individual or, probably
more
> >>>likely, some automated attack brought on by a trojan horse/virus on
some
> >>>unsuspecting person/people's computers) is continuing to attack that
> >>>address.
> >>>
> >>>I had an instance several years ago where one of my IP addresses was
> >>>being attacked after I had connected to a certian IRC network from that
> >>>IP address.  A number of IPs then began attacking that IP address for
> >>>days.  By changing IP addresses, the attacks then fail, and so long as
> >>>the target IP address is not again visible to the would-be attackers,
the
> >>>attacks can not begin again.
> >>>
> >>>-- Jonathan
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "bbales" <bbales@xxxxxxx>
> >>>To: <linux-help@xxxxxxxxx>
> >>>Sent: Sunday, August 01, 2004 8:35 PM
> >>>Subject: [linux-help] Re: Port 18593 attacks
> >>>
> >>>
> >>>>No - In one bunch of 916 hits there were 110 different addresses.  38
> >>>>were
> >>>
> >>>to
> >>>
> >>>
> >>>>UDP, the rest to TCP.  Usually hits an address/port combination two to
> >>>
> >>>four
> >>>
> >>>
> >>>>times and then switches.  Sometimes switches address and port in less
> >>>>than
> >>>
> >>>a
> >>>
> >>>
> >>>>second (two hits with the same time-stamp.)  Most source ports are
four
> >>>>digit, the rest are five digit.
> >>>>
> >>>>A sort on source addresses shows several addresses used quite a few
> >>>>times. 24.161.87.199 used 64 times with 16 different ports, each port
> >>>>used
> >>>
> >>>exactly
> >>>
> >>>
> >>>>four times.
> >>>>24.167.68.48 used 30 times, five different ports, each used exactly
six
> >>>
> >>>times.
> >>>
> >>>
> >>>>68.113.250.214  24 times, 8 different ports, each used exactly three
> >>>
> >>>times.
> >>>
> >>>
> >>>>68.47.163.14  26 times, nine different ports, all but one used three
> >>>>times
> >>>
> >>>and
> >>>
> >>>
> >>>>on used twice.
> >>>>144.137.113.30 used 81 times with about 78 different ports.
> >>>>217.226.110.2 used 106 times with ports used mostly three or four
times.
> >>>>
> >>>>I'm sure that's more information than anyone wants.
> >>>>bruce
> >>>>
> >>>>On Sunday 01 August 2004 01:12, you wrote:
> >>>>
> >>>>>I am not aware of any server/software that uses TCP port 18593.  Do
the
> >>>>>attacks appear to be originating from any particular sources?
> >>>>>
> >>>>>----- Original Message -----
> >>>>>From: "bbales" <bbales@xxxxxxx>
> >>>>>To: <linux-help@xxxxxxxxx>
> >>>>>Sent: Saturday, July 31, 2004 9:52 PM
> >>>>>Subject: [linux-help] Port 18593 attacks
> >>>>>
> >>>>>
> >>>>>>During the past week my Frazier Firewall has been turning away
> >>>
> >>>thousands
> >>>
> >>>
> >>>>>of
> >>>>>
> >>>>>
> >>>>>>attempts at port 18593.  Some times as many as 245 in one hour.  In
> >>>
> >>>the
> >>>
> >>>
> >>>>>past
> >>>>>
> >>>>>
> >>>>>>when I had a large number of hits on one port, I could find
something
> >>>>>
> >>>>>about
> >>>>>
> >>>>>
> >>>>>>it from Symantec or some forum on the web.  This time no-one is
> >>>
> >>>reporting
> >>>
> >>>
> >>>>>>anything about port 18593.
> >>>>>>
> >>>>>>It seems to be overwhelming the firewall logging facilities as the
> >>>
> >>>daily
> >>>
> >>>
> >>>>>email
> >>>>>
> >>>>>
> >>>>>>only reports the last six or eight hours.
> >>>>>>
> >>>>>>Anyone have any clues about this?
> >>>>>>bruce
> >>>>>>
> >>>>>>
> >>>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>>>>
> >>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>>>
> >>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>>
> >>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >>
> >>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> >>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> >
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> >
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]