by Anyone else seeing this?
Over the last day or so I've seen a wave of probes to port 6588. The
probes seem to come in triplets, with a 3 second, and then a 6 second
pause between the probes. Here's an example:
01:18:22 INPUT IN=eth2 SRC=216.229.73.73
01:18:25 INPUT IN=eth2 SRC=216.229.73.73
01:18:31 INPUT IN=eth2 SRC=216.229.73.73
A 13 hour period yesterday yielded:
638 probes to port 6588
139 unique host ip's.
the most active ip's:
68.52.95.196 (39)
129.173.3.192 (24)
210.234.82.143 (24)
80.56.136.150 (18)
129.173.3.192 (15)
At peak, late last night, I was averaging upwards of 2 per minute, but it
seems to have tapered off to about a quarter of that now. Most of the
attackers (that have rDNS information) seem to have dsl/ppp/dialup-pool
names, suggesting trojaned machines without firewalls on broadband
connections. Nmap showed some with obvious trojan infestations, but
others appeared clean, in terms of open ports.
Any idea what this is? A spammer frantically scanning for open proxies to
spam through (but why the overkill)? Or perhaps a rather ineffectual dDOS
attempt or practice run?
Neil