[linux-help] Re: Port 18593 attacks

["Adam M. Sennott" <kryste01@xxxxxxx>]

Agreed.  When I release/renew the WAN address from my Linksys router, it
almost invariably pulls a new address from Cox.

Also, please keep in mind if not using a router that the older Cox modems,
the big off-white brick ones, do not have a MAC address.
----- Original Message ----- 
From: "John Lucas" <jdlucas@xxxxxxxxxxxx>
To: <linux-help@xxxxxxxxx>
Sent: Monday, August 02, 2004 10:04 PM
Subject: [linux-help] Re: Port 18593 attacks


> In my experience, most DHCP servers base the IPs they assign on the MAC
> ADDR. of the CUSTOMER's hardware, not on the MODEM's MAC ADDR.
>
> If you think about it, it's the CUSTOMER's hardware that requests its IP
> from Cox's DHCP server, not the modem. The Modem has very little to do
with
> granting the DHCP lease request.
>
> Many hardware routers give you the option of modifying the MAC Address.  I
> have found that if I RELEASE the address assigned to my router, CHANGE the
> MAC address of my router by a digit or two, and then RENEW, the DHCP
server
> will think that I have a new piece of hardware and will assign a different
> IP to my router.
>
> So, if you are using your Linux box as the router, the most surefire way
to
> get a new IP would be to RELEASE the DHCP lease you currently have, swap
> network cards (it doesn't matter if it's exactly the same model of card;
> every card has a unique MAC address), and then RENEW your lease.
>
> Hope this helps... Good Luck!
>
> --John
>
> ----- Original Message ----- 
> From: "ironrose" <ironrose@xxxxxxx>
> To: <linux-help@xxxxxxxxx>
> Sent: Monday, August 02, 2004 6:48 PM
> Subject: [linux-help] Re: Port 18593 attacks
>
>
> > I talked with Sandy, the lady in charge of Cox security and she
> > confirmed what you have found out, that the cable modem needs to be shut
> > off for 24 hours or you can shutdown the main computer and on a second
> > computer connect to the internet.  Sometimes this process with give you
> > a different ip address.  She has had the same ip address for about 2
> > years.
> >
> > Sandy asked if you were able to determine who is port scanning you or
> > what isp they are using.  If it is one of cox's customers, then she
> > needs to find out and cox will go after them, suspending their service
> > or prosecution.  If it is someone who is with another internet service
> > provider, then she can forward your log files and that isp so that they
> > can deal with the deviant customer.  If you want to send her your log
> > files, then COPY & PASTE the logs (not forward them) into an email and
> > send them to abuse@xxxxxxx.  Apparently asking people to be nice on the
> > internet doesn't work, going after them legally (if enough evidence can
> > be gathered and presented in court) is going to be the only way to stop
> > the deviant computer users.  ~Anne
> >
> > bbales wrote:
> > > Unplugging the modem didn't change the IP address.  Cox is trying to
> change
> > > it, but the method for doing it is not readily available to them.
> > >
> > > The modems have a 12 hour lease time, so the easiest way is to shut it
> off for
> > > 24 hours and you will get a new IP address.  Or find out when your
lease
> is
> > > up and shut it off for 12 hours.  (Mine is up at 5:50 so if they can't
> reset
> > > it at Cox, I will unplug about 5:30 and leave it over night.)
> > >
> > > They are trying to be very helpful.  I have always had super support
> from Cox
> > > except for the "We don't support Linux," bit.
> > > bruce
> > >
> > > On Monday 02 August 2004 07:12, you wrote:
> > >
> > >>Powering the cable modem off for 2-5 minutes and rebooting may not
give
> > >>you a new ip address with cox dhcp server.  Even the tech support
staff
> > >>are unable to release & renew your ip address from the cox dhcp
server.
> > >>  It may have to be released and renewed by a supervisor at cox.  I
will
> > >>check on that.  ~Anne
> > >>
> > >>Jonathan Hall wrote:
> > >>
> > >>>Sounds like a bunch of port scans.  I'm not sure what method there
> might
> > >>>be to the apparant madness, though.
> > >>>
> > >>>Do you have a static IP address?  If not, do you continue to
experience
> > >>>the attacks after your IP changes?  It looks like you use Cox... I
> would
> > >>>suggest powering off you cable modem for 2-5 minutes, then powering
it
> > >>>back on. That should force a new IP address.  Then see if the
apparant
> > >>>attacks continue.
> > >>>
> > >>>It may be that someone (or many someones) found your IP address some
> > >>>where (e-mail header, usenet posting, IRC logs... whatever), and
> whatever
> > >>>mechanism is attacking you (whether it be an individual or, probably
> more
> > >>>likely, some automated attack brought on by a trojan horse/virus on
> some
> > >>>unsuspecting person/people's computers) is continuing to attack that
> > >>>address.
> > >>>
> > >>>I had an instance several years ago where one of my IP addresses was
> > >>>being attacked after I had connected to a certian IRC network from
that
> > >>>IP address.  A number of IPs then began attacking that IP address for
> > >>>days.  By changing IP addresses, the attacks then fail, and so long
as
> > >>>the target IP address is not again visible to the would-be attackers,
> the
> > >>>attacks can not begin again.
> > >>>
> > >>>-- Jonathan
> > >>>
> > >>>
> > >>>----- Original Message -----
> > >>>From: "bbales" <bbales@xxxxxxx>
> > >>>To: <linux-help@xxxxxxxxx>
> > >>>Sent: Sunday, August 01, 2004 8:35 PM
> > >>>Subject: [linux-help] Re: Port 18593 attacks
> > >>>
> > >>>
> > >>>>No - In one bunch of 916 hits there were 110 different addresses.
38
> > >>>>were
> > >>>
> > >>>to
> > >>>
> > >>>
> > >>>>UDP, the rest to TCP.  Usually hits an address/port combination two
to
> > >>>
> > >>>four
> > >>>
> > >>>
> > >>>>times and then switches.  Sometimes switches address and port in
less
> > >>>>than
> > >>>
> > >>>a
> > >>>
> > >>>
> > >>>>second (two hits with the same time-stamp.)  Most source ports are
> four
> > >>>>digit, the rest are five digit.
> > >>>>
> > >>>>A sort on source addresses shows several addresses used quite a few
> > >>>>times. 24.161.87.199 used 64 times with 16 different ports, each
port
> > >>>>used
> > >>>
> > >>>exactly
> > >>>
> > >>>
> > >>>>four times.
> > >>>>24.167.68.48 used 30 times, five different ports, each used exactly
> six
> > >>>
> > >>>times.
> > >>>
> > >>>
> > >>>>68.113.250.214  24 times, 8 different ports, each used exactly three
> > >>>
> > >>>times.
> > >>>
> > >>>
> > >>>>68.47.163.14  26 times, nine different ports, all but one used three
> > >>>>times
> > >>>
> > >>>and
> > >>>
> > >>>
> > >>>>on used twice.
> > >>>>144.137.113.30 used 81 times with about 78 different ports.
> > >>>>217.226.110.2 used 106 times with ports used mostly three or four
> times.
> > >>>>
> > >>>>I'm sure that's more information than anyone wants.
> > >>>>bruce
> > >>>>
> > >>>>On Sunday 01 August 2004 01:12, you wrote:
> > >>>>
> > >>>>>I am not aware of any server/software that uses TCP port 18593.  Do
> the
> > >>>>>attacks appear to be originating from any particular sources?
> > >>>>>
> > >>>>>----- Original Message -----
> > >>>>>From: "bbales" <bbales@xxxxxxx>
> > >>>>>To: <linux-help@xxxxxxxxx>
> > >>>>>Sent: Saturday, July 31, 2004 9:52 PM
> > >>>>>Subject: [linux-help] Port 18593 attacks
> > >>>>>
> > >>>>>
> > >>>>>>During the past week my Frazier Firewall has been turning away
> > >>>
> > >>>thousands
> > >>>
> > >>>
> > >>>>>of
> > >>>>>
> > >>>>>
> > >>>>>>attempts at port 18593.  Some times as many as 245 in one hour.
In
> > >>>
> > >>>the
> > >>>
> > >>>
> > >>>>>past
> > >>>>>
> > >>>>>
> > >>>>>>when I had a large number of hits on one port, I could find
> something
> > >>>>>
> > >>>>>about
> > >>>>>
> > >>>>>
> > >>>>>>it from Symantec or some forum on the web.  This time no-one is
> > >>>
> > >>>reporting
> > >>>
> > >>>
> > >>>>>>anything about port 18593.
> > >>>>>>
> > >>>>>>It seems to be overwhelming the firewall logging facilities as the
> > >>>
> > >>>daily
> > >>>
> > >>>
> > >>>>>email
> > >>>>>
> > >>>>>
> > >>>>>>only reports the last six or eight hours.
> > >>>>>>
> > >>>>>>Anyone have any clues about this?
> > >>>>>>bruce
> > >>>>>>
> > >>>>>>
> > >>>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > >>>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >>>>>
> > >>>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > >>>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >>>>
> > >>>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > >>>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >>>
> > >>>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > >>>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >>
> > >>-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > >>visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >
> > >
> > > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> > >
> > >
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
>
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
>

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi