Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Attack


  • Please log in to reply
2 replies to this topic

#1 Fantym

Fantym

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:WA/ID Border
  • Local time:03:30 PM

Posted 11 March 2010 - 03:56 PM

I'm not sure what section this should go in but... here goes.

I have a small business and my router and the firewall on my server keep informing me that xxx.xxx.xxx.xxx:yyyy is trying to access zzz.zzz.zzz.zzz:18442.

the xxx's are one of many IP's and yyyy is a random port zzz's are my server, hidden for safety. The consistant thing is port 18442 on my server. Which my firewall informs me is not being used by any running app and it is blocking the traffic.

I have googled the port in question and have not been able to find what app/virus/service/exploit the remote ip's are trying to reach.

Any info may be helpful. I know I can make it stop, I just need to roll my static IP to a new one. Untill I do that I thought it would be nice to learn what methods these computer are trying to gain access by.

Thank You For Your Time...

BC AdBot (Login to Remove)

 


#2 Fantym

Fantym
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:WA/ID Border
  • Local time:03:30 PM

Posted 11 March 2010 - 04:06 PM

Here is a section from my router log, i've blanked my server IP address

[LAN access from remote] from 217.123.164.182:39619 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:22
[LAN access from remote] from 94.10.185.102:11187 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:22
[LAN access from remote] from 81.166.25.161:4440 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:17
[LAN access from remote] from 217.150.61.117:35181 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:17
[LAN access from remote] from 68.202.97.245:1314 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:15
[LAN access from remote] from 94.123.229.178:6881 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:14
[LAN access from remote] from 95.78.31.254:13308 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:09
[LAN access from remote] from 72.185.141.187:48276 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:06
[LAN access from remote] from 78.175.216.178:26403 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:03
[LAN access from remote] from 79.25.66.193:47830 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:54:02
[LAN access from remote] from 78.114.221.41:40224 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:56
[LAN access from remote] from 91.82.147.126:26216 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:52
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [67.148.71.41], Thursday, 11 Mar 2010 12:53:52
[LAN access from remote] from 212.50.239.25:37120 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:51
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [67.148.71.11], Thursday, 11 Mar 2010 12:53:48
[LAN access from remote] from 67.204.48.43:16728 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:48
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [74.125.53.139], Thursday, 11 Mar 2010 12:53:48
[LAN access from remote] from 207.46.194.131:50185 to xxx.xxx.xxx.xxx:80 Thursday, 11 Mar 2010 12:53:47
[LAN access from remote] from 94.189.200.13:22092 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:46
[LAN access from remote] from 80.99.23.68:34159 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:46
[LAN access from remote] from 212.76.37.166:56117 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:44
[LAN access from remote] from 88.226.72.65:31520 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:39
[LAN access from remote] from 173.32.236.130:45984 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:39
[LAN access from remote] from 74.115.1.10:8080 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:33
[LAN access from remote] from 78.153.37.210:40580 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:33
[LAN access from remote] from 95.61.93.130:45682 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:32
[LAN access from remote] from 188.114.57.164:6800 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:28
[LAN access from remote] from 66.249.67.12:56735 to xxx.xxx.xxx.xxx:80 Thursday, 11 Mar 2010 12:53:27
[LAN access from remote] from 217.150.38.193:12000 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:27
[LAN access from remote] from 92.242.71.57:10900 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:26
[LAN access from remote] from 92.135.251.77:16891 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:26
[LAN access from remote] from 89.19.165.209:52315 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:24
[LAN access from remote] from 187.10.8.219:20001 to xxx.xxx.xxx.xxx:18442 Thursday, 11 Mar 2010 12:53:21


#3 Fantym

Fantym
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:WA/ID Border
  • Local time:03:30 PM

Posted 11 March 2010 - 07:05 PM

Nevermind. I figured it out, as it turns out it's not related to the DOS attack's i've been having. I downloaded some drivers for an ASUS Motherboard and it used btdna.exe (Bit Torrent Content Distribution) and left it loaded. I have a different port mapped for normal bittorrent traffic, it didn't ask me what port to use. so port 18442 = BTDNA.EXE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users