[plug] Port 3994 attack?

Stephen Boak sboak at westnet.com.au
Thu Sep 11 08:37:40 WST 2003


>None showing here in a log grep for 3994 (iinet dialup) - lotsa port 
>135
>tho ...
>
>BillK

Thru westnet here, so maybe that has something to do with it. I've
only been on this IP address for about two hours since last dialup
connect.

Sample from tcpdump -X -v -i ppp0

08:19:45.978318 210.114.156.204.1032 > 202.72.171.211.3994: S [tcp
sum ok] 3524005218:3524005218(0) win 64240 <mss 1420,nop,nop,sackOK>
[tos 0xe0]  (ttl 101, id 62302, len 48)
0x0000   45e0 0030 f35e 0000 6506 7c2e d272 9ccc       
E..0.^..e.|..r..
0x0010   ca48 abd3 0408 0f9a d20c 0d62 0000 0000       
.H.........b....
0x0020   7002 faf0 afea 0000 0204 058c 0101 0402       
p...............

Getting two to three a second at the moment, from random IP addresses
(sample SRC IP's from 08:33:22 to 08:33:28)

SRC=155.69.172.164
SRC=81.204.222.196
SRC=24.156.198.190
SRC=66.139.226.79
SRC=213.23.32.130
SRC=193.230.192.130
SRC=24.156.198.190
SRC=168.243.218.1
SRC=213.23.32.130
SRC=155.69.172.164

Doesn't mean anything to me - anyone know what port 3994 does?

Steve




More information about the plug mailing list