 deadiPremium
join:2001-08-26
Perry, OH
 ·Windstream
| reply to kpatz
Re: TCP port 65506 proxy scan quote:
--------------------------------------------------------------------------------
port 27015 is the default port for the popular online game Halflife and mods such as Counterstrike and Day of Defeat. Why this port activity has increased, I do not know. When a user looks for a game to join, a game browser pings all known servers that are running the game. The ping is displayed, the player joins based on ping value. The lower the ping the better.
--------------------------------------------------------------------------------
Heh, I posted that!
Anyway, I saw the charts for that port and took notice at the time, that activity on that port has jumped signficantly in a short period. I can only assume that Steam (Steampowered.com) which is responsible for the game, has changed the way it delivers or requests information such as ping time or server/client registration to and from clients. People from other countrys do play on US servers if they have a fat pipe and get good ping. Generally, you have to have a static ip to host a server. Some gamers will run a server on a dynamic ip and host a game for lan partys and such, and dissapear when the festivitys are over.
--
ERROR:Bad Command or File Name, go stand in corner. |
|
 Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3
 ·Shaw
| reply to Link Logger
65506 Traffic |
This thread should be a good reply to a typical question we hear from users, 'why would they want my computer, there is nothing on it'. Sometimes hackers or in this case spammers just want your IP Address, or CPU, or Disk Space, or Bandwidth and could really case less what is actually on your computer as that is not their objective. Had my system really been infected and been a real spam relay then thousands of people if not more would have received spam sent through this computer. So my 'lack' of security would have negatively impacted a lot of people, and if that spam contained viruses then the impact could have been far larger. So this is a perfect example of the effect that one insecure computer could have on others.
The internet is a community and if you let one crack house into the neighbourhood it's likely the whole community suffers either directly or indirectly. It would be interesting to find out how many relays these guys are using, but I'd bet thousands, which is thousands too many.
The other issue is surrounding if spam is legal or not. Given that I certainly didn't give consent to attempt to use my system as a spam relay, nor likely does anyone else that in itself is illegal (even more so if for example I had to pay for bandwidth used). Given that it is typical for spammers to use zombies for relays it would indicate to me that most spammers are criminals. They could purchase their own systems, bandwidth, IP Addresses, etc and be legal by definition of the law, but very few if any do, hence why most spammers are not exactly loved.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 foxstevePremium
join:2001-12-28
Campbell, CA | reply to Link Logger
Blake, you have given to those spammers as a present your attention and time and they thank you for free advertisement. They are sure that their spam has achieved to sacrifices - there are all. Do you have any idea how inflict damage on their activity? |
|
 novaflareThe Dragon Was HerePremium
join:2002-01-24
Barberton, OH | am i the only one who randomly punches in ips that scan me in to a web a web browser? »69.44.157.21/ --
my fav mmorpg »www.rubiesofeventide.com my site »spellbound.valshea.com/news.php |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | reply to foxsteve
I'm thinking someone should create a decoy proxy - one that acts like the real thing, but instead of forwarding the spam on to its intended targets, it just collects it, and IP logs, to gather evidence to use against the spammers.
I wonder what an ISP abuse dept will think of receiving an email with an IP log showing one of their IPs, and 1,000 spam messages in a zipped attachment, that were attempted to be sent from that IP.  |
|
|
|
 pcdebbRIP dadkinsPremium
join:2000-12-03
Brandon, FL
kudos:4 | said by kpatz:
I'm thinking someone should create a decoy proxy - one that acts like the real thing, but instead of forwarding the spam on to its intended targets, it just collects it, and IP logs, to gather evidence to use against the spammers.
I wonder what an ISP abuse dept will think of receiving an email with an IP log showing one of their IPs, and 1,000 spam messages in a zipped attachment, that were attempted to be sent from that IP.
that gave me a more convoluted thought. how about acting as the real thing and just forward it back to the originator? make them flood themselves heh (and forgive me, I have no idea how the "flow" goes with this stuff, but it was a fun thought while it lasted)
--
I want to die in my sleep like my grandfather...not screaming and yelling like the passengers in his car ... (posts) ... AIM ... |
|
1 edit | reply to foxsteve
Upon reflection, I do not wish to post. |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | reply to pcdebb
said by pcdebb:
that gave me a more convoluted thought. how about acting as the real thing and just forward it back to the originator? make them flood themselves heh (and forgive me, I have no idea how the "flow" goes with this stuff, but it was a fun thought while it lasted)
Neat idea! If they're stupid enough to have port 25 open and running a mailserver on the same IP they're contacting the proxy with, they'd DoS themselves with their own spam!  |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| reply to kpatz
In a sense I created a decoy proxy and received over 66,000 hits and I have the logs to back it up. Generally I'm of the mind that two wrongs don't make a right, but sometimes it does make you feel better about the first wrong. Could we take them down, sure, but they would just move on to somewhere else.
Information from this thread is already going out and so more and more people are becoming aware of 'issues' on TCP port 65506. Of course this means the spammers will work with the virus guys again such that the next virus installs a proxy on some other port, but the point is the gang here at DSLReports once again picked up on this issue rather quickly and then put out the information so others can benefit. There are lots of people in this forum who monitor their firewalls and are interested in understanding what different scans/attacks are trying to do and that is why I learn so much here.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | You saw this, I presume?
»isc.incidents.org/diary.html?date=2004-03-13
--
Regards, Joseph V. Morris |
|
Link LoggerPremium,MVM
join:2001-03-29
Calgary, AB
kudos:3 Reviews:
·Shaw
| Hopefully this thread clears up any questions as to what 65506 traffic is. I put together a page here »www.linklogger.com/65506SpamRelay.htm about this as well.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
 dvd536as Mr. Pink as they comePremium
join:2001-04-27
Phoenix, AZ
kudos:4 | reply to kpatz
said by kpatz:
I'm thinking someone should create a decoy proxy - one that acts like the real thing, but instead of forwarding the spam on to its intended targets, it just collects it, and IP logs, to gather evidence to use against the spammers.
I wonder what an ISP abuse dept will think of receiving an email with an IP log showing one of their IPs, and 1,000 spam messages in a zipped attachment, that were attempted to be sent from that IP.
Pointless. most likely the connecting IP is also a hacked box so all you end up getting info on is a bunch of other compromised boxes.
--
You can never be too rich, too thin or have too much Bandwidth |
|
pcdebbRIP dadkinsPremium
join:2000-12-03
Brandon, FL
kudos:4 | reply to Link Logger
has quieted down |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | reply to dvd536
said by dvd536:
Pointless. most likely the connecting IP is also a hacked box so all you end up getting info on is a bunch of other compromised boxes.
Only if the spammers are routing their crap through multiple proxies. By intercepting port 65506 traffic, you're seeing the spam on the way *to* one of the hacked boxes. This increases the likelihood that the originating IP belongs to a spammer or one of its accomplices. |
|
DaemonPremium
join:2003-06-29
San Francisco, CA Reviews:
·Comcast
| I'm starting to see scans from american IPs, some of them on dialup of all places...
64.4.131.101 *.snlo.dialup.fix.net
67.118.45.0 (yes, .0!) *.dsl.pacbell.net (are they spoofing now?)
64.228.240.67 *.sympatico.ca
etc etc... I'm only seeing a hit every hr or so.
--
-Ryan
The more you know the more you know how little you know,you know? |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH | said by Daemon:
67.118.45.0 (yes, .0!) *.dsl.pacbell.net (are they spoofing now?)
That IP is valid if the subnet mask is 255.255.254.0 or wider, which it probably is. |
|
DaemonPremium
join:2003-06-29
San Francisco, CA | Do a pointer lookup on it. It returns information for that subnet. It could just be nslookup assuming it's not a valid IP, but...
--
-Ryan
The more you know the more you know how little you know,you know? |
|
 WGM39
join:2004-03-07
Washougal, WA | reply to Link Logger
Zone Alarm Pro has logged/blocked some to port 65506.
03/17/2004 15:51:06-8:00 GMT from 66.178.55.6:3231
•66-178-55-6.reserve.newskies.net
03/17/2004 15:21:46-8:00 GMT from 81.53.170.127:3334
•ASte-Genev-Bois.112-1-24-127.w81.-53.abo.wanadoo.fr
03/17/2004 15:01:48-8:00 GMT from 211.243.64.202:2174
•No info
03/17/2004 15:21:46-8:00 GMT from 218.52.85.200:3031
•No info
03/17/2004 12:49:16-8:00 GMT from 81.113.149.5:2764
•No info
--
Ground Control, SRS, DW4000, G11 1370, BE 4.2.1.10
My web site: www.wmmc.us |
|
