Posted by smith in scaesar.com
9:06:37 AM Port scan 24.64.195.107 UDP (1027, 1026)
9:05:59 AM Port scan 24.64.150.220 UDP (1027, 1026)
9:01:20 AM Port scan 24.64.134.98 UDP (1027, 1026)
8:38:46 AM Port scan 24.64.182.48 UDP (1027, 1026)
8:21:40 AM Port scan 24.64.157.163 UDP (1027, 1026)
8:10:15 AM Port scan 24.64.237.190 UDP (1027, 1026)
8:04:59 AM Port scan 24.64.44.168 UDP (1027, 1026)
This is a sample my attack detection logs. I'm only providing a sample because the rest is more of the same, for weeks on end.
Normally I would think: Ok, someone has my address and wants in on my computer.
However, I've just recently arrived home from college, which means my ip address is different. Yet almost instantly I get spammed by these canadian ip-addresses. I checked my logs multiple times over and couldn't find any instance where I had exchanged data with a 24.64. address.
Anyone have a clue what this is about?
Well, it's probably not an infection of any sort - it was definitely a shot in the dark. It couldn't hurt to check of course.
Originally, I would have thought that it was some random Shaw machines that were sending messenger spam to random IPs. However, with messenger spam cut down in volume over the years and the fact that you moved from your college to home also drops this as unlikely. In short, I'm not sure what the potential problem is since you seem fairly knowledgeable yourself and probably ruled practically everything (programs etc.) I can think of out.
Does this only happen in OP6 or is this appearing in OP4? Some users reported some odd behavior with the attack detection part with OP6 (2008) but I'm not sure if it's applicable. Maybe someone else can give a stab at it as currently, all I can think about is turkey.
It's probably from your ISP. Did you use the same ISP at your apartment or wherever at college and at home? Doing a rDNS revealed it is from Shaw so it's not something you need to be worried about probably. I believe Rogers etc. (other canadian ISPs) do the same thing but I'm not 100% sure on this as I'm not in Canada or using their services. UDP ports 1026/1027 etc. is the whole windows messenger spam thing I believe.
I'd like to take this time to say that Shaw's monthly bandwidth caps suck. Apparently, I'm under traffic shaping myself.
Wow, I was far off the mark. Sorry, I'm not entirely sure why Shaw addresses are continuously hitting up those particular ports as I can only think of unlikely reasons. I'm assuming your computer is clean of viruses/etc and wasn't ever infected at some point?
1. My ISP at college is Shentel; My ISP here is patriot media.
2. Neither are canadian as far as I know.
3. If it's just general windows messenger spam, why does it all come from a single ISP, particularly one I don't have service with?
It's recently reformatted (after partition magic killed my system partition). First things to go on were nod32 and outpost. Also I haven't been to any questionable websites, or openned questionable attachments in my emails in the few weeks since.
So I'm fairly certain I'm not infected. But looking at these logs makes me alittle worried.
9:05:59 AM Port scan 24.64.150.220 UDP (1027, 1026)
9:01:20 AM Port scan 24.64.134.98 UDP (1027, 1026)
8:38:46 AM Port scan 24.64.182.48 UDP (1027, 1026)
8:21:40 AM Port scan 24.64.157.163 UDP (1027, 1026)
8:10:15 AM Port scan 24.64.237.190 UDP (1027, 1026)
8:04:59 AM Port scan 24.64.44.168 UDP (1027, 1026)
This is a sample my attack detection logs. I'm only providing a sample because the rest is more of the same, for weeks on end.
Normally I would think: Ok, someone has my address and wants in on my computer.
However, I've just recently arrived home from college, which means my ip address is different. Yet almost instantly I get spammed by these canadian ip-addresses. I checked my logs multiple times over and couldn't find any instance where I had exchanged data with a 24.64. address.
Anyone have a clue what this is about?
Originally, I would have thought that it was some random Shaw machines that were sending messenger spam to random IPs. However, with messenger spam cut down in volume over the years and the fact that you moved from your college to home also drops this as unlikely. In short, I'm not sure what the potential problem is since you seem fairly knowledgeable yourself and probably ruled practically everything (programs etc.) I can think of out.
Does this only happen in OP6 or is this appearing in OP4? Some users reported some odd behavior with the attack detection part with OP6 (2008) but I'm not sure if it's applicable. Maybe someone else can give a stab at it as currently, all I can think about is turkey.
I'd like to take this time to say that Shaw's monthly bandwidth caps suck. Apparently, I'm under traffic shaping myself.
2. Neither are canadian as far as I know.
3. If it's just general windows messenger spam, why does it all come from a single ISP, particularly one I don't have service with?
So I'm fairly certain I'm not infected. But looking at these logs makes me alittle worried.
#If you have any other info about this subject , Please add it free.# |