Incident: 02-24-02 14:08

tcp:1214 -- KaZaa

What's going on here is that, being a dialup, I have a dynamic IP address, which means that when I redial I'm getting an IP address that someone else has just had...

...so for KaZaa, Morpheus, Napster and the other file-sharing P2P programs that are very persistent about continuing to attempt to maintain a connection that's closed, it's assumed that *I* have something to share. (Of course, I don't, but that won't stop them from trying.)

Also, some of these programs apparently try to re-establish connection when either the program is started or the computer that the program is running on comes back online.

That's why you see all sorts of IP addresses attempting to connect to the IP *I've* got right now, at various points in time.

This sort of stuff, along with Code Red/Nimda probes, has become sort of a constant background noise on the Internet.

'nuff said..



[toot@sparky /storage/snort/old_snorts/022402]# more port_1214-0224@0711.log 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:20:04.454733 68.40.44.154:65199 -> 12.82.137.151:1214
TCP TTL:114 TOS:0x0 ID:28440 IpLen:20 DgmLen:48 DF
******S* Seq: 0xC4F5228C  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:20:07.405043 68.40.44.154:65199 -> 12.82.137.151:1214
TCP TTL:114 TOS:0x0 ID:28442 IpLen:20 DgmLen:48 DF
******S* Seq: 0xC4F5228C  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:20:13.425635 68.40.44.154:65199 -> 12.82.137.151:1214
TCP TTL:114 TOS:0x0 ID:28443 IpLen:20 DgmLen:48 DF
******S* Seq: 0xC4F5228C  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 68.40.44.154
connecting to whois.arin.net [63.146.182.182:43] ...
Comcast Cable Communications, Inc.
 (NETBLK-JUMPSTART-1)JUMPSTART-1
     68.32.0.0 - 68.63.255.255

Comcast Cable Communications, Inc.
 (NETBLK-JUMPSTART-MICHIGAN-A) JUMPSTART-MICHIGAN-A
     68.40.0.0 - 68.43.255.255

Comcast Cable Communications, Inc. (NETBLK-JUMPSTART-MICHIGAN-A)
   1275 Ball Road
   Jonesville, MI
   US    

Netname: JUMPSTART-MICHIGAN-A
   Netblock: 68.40.0.0 - 68.43.255.255    

Coordinator:
      Zeibari, Greg  (GZ64-ARIN)  gzeibari@comcastpc.com
      856-661-7929    

Domain System inverse mapping provided by: 
   NS01.JDC01.PA.COMCAST.NET66.45.25.71
   NS02.JDC01.PA.COMCAST.NET66.45.25.72



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:35:13.446129 63.29.24.126:3151 -> 12.82.137.151:1214
TCP TTL:113 TOS:0x0 ID:62566 IpLen:20 DgmLen:48 DF
******S* Seq: 0x462594  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:35:16.276395 63.29.24.126:3151 -> 12.82.137.151:1214
TCP TTL:113 TOS:0x0 ID:9831 IpLen:20 DgmLen:48 DF
******S* Seq: 0x462594  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:35:22.327039 63.29.24.126:3151 -> 12.82.137.151:1214
TCP TTL:113 TOS:0x0 ID:13927 IpLen:20 DgmLen:48 DF
******S* Seq: 0x462594  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-10:35:34.338241 63.29.24.126:3151 -> 12.82.137.151:1214
TCP TTL:113 TOS:0x0 ID:37991 IpLen:20 DgmLen:48 DF
******S* Seq: 0x462594  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 536 NOP NOP SackOK 



BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 63.29.24.126
connecting to whois.arin.net [192.149.252.34:43] ...

UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU)
   3060 Williams Drive, Suite 601
   Fairfax, va 22031
   US    

Netname: NETBLK-UUNET97DU
   Netblock: 63.0.0.0 - 63.63.255.255
   Maintainer: UUDA    

Coordinator:
      UUNET, Technical Support  (OA12-ARIN)  help@uu.net
      (800) 900-0241    

Domain System inverse mapping provided by: 
   DIALDNS1.UU.NET153.39.194.10
   DIALDNS2.UU.NET153.39.194.26
   DIALDNS200.NS.UU.NET195.129.111.3
   DIALDNS210.NS.UU.NET195.129.111.4



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-12:59:01.664283 193.252.222.169:1622 -> 12.82.137.151:1214
TCP TTL:112 TOS:0x0 ID:7882 IpLen:20 DgmLen:48 DF
******S* Seq: 0x9B105C35  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-12:59:04.654562 193.252.222.169:1622 -> 12.82.137.151:1214
TCP TTL:112 TOS:0x0 ID:7884 IpLen:20 DgmLen:48 DF
******S* Seq: 0x9B105C35  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-12:59:10.675168 193.252.222.169:1622 -> 12.82.137.151:1214
TCP TTL:112 TOS:0x0 ID:7885 IpLen:20 DgmLen:48 DF
******S* Seq: 0x9B105C35  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

% This is the RIPE Whois server.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html 

inetnum:      193.252.222.0 - 193.252.222.255
netname:      IP2000-ADSL-BAS
descr:        France Telecom IP2000 ADSL BAS
descr:        BSNAN104 Nantes Bloc1
country:      FR
admin-c:      WITR1-RIPE
tech-c:       WITR1-RIPE
status:       ASSIGNED PA
remarks:      for hacking, spamming or security problems send mail to
remarks:      postmaster@wanadoo.fr AND abuse@wanadoo.fr
remarks:      for ANY problem send mail to gestionip.ft@francetelecom.com
source:       RIPE 

route:        193.252.128.0/17
descr:        France Telecom
origin:       AS3215
source:       RIPE 

role:         Wanadoo Interactive Technical Role
address:      WANADOO INTERACTIVE
address:      48 rue Camille Desmoulins
address:      92791 ISSY LES MOULINEAUX CEDEX 9
address:      FR
phone:        +33 1 58 88 50 00
e-mail:       abuse@wanadoo.fr
e-mail:       postmaster@wanadoo.fr
admin-c:      FTI-RIPE
tech-c:       TEFS1-RIPE
nic-hdl:      WITR1-RIPE
notify:       gestionip.ft@francetelecom.com
source:       RIPE



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-14:08:25.897387 12.243.82.57:64639 -> 12.82.137.151:1214
TCP TTL:116 TOS:0x0 ID:64753 IpLen:20 DgmLen:48 DF
******S* Seq: 0x13D251F  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-14:08:28.857715 12.243.82.57:64639 -> 12.82.137.151:1214
TCP TTL:116 TOS:0x0 ID:2802 IpLen:20 DgmLen:48 DF
******S* Seq: 0x13D251F  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-14:08:34.848344 12.243.82.57:64639 -> 12.82.137.151:1214
TCP TTL:116 TOS:0x0 ID:9970 IpLen:20 DgmLen:48 DF
******S* Seq: 0x13D251F  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/24-14:08:46.849542 12.243.82.57:64639 -> 12.82.137.151:1214
TCP TTL:116 TOS:0x0 ID:25074 IpLen:20 DgmLen:48 DF
******S* Seq: 0x13D251F  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

Request: 12.243.82.57
connecting to whois.arin.net [192.149.252.34:43] ...

AT&T ITS (NET-ATT)
   200 Laurel Avenue South
   Middletown, NJ 07748
   US    Netname: ATT
   Netblock: 12.0.0.0 - 12.255.255.255
   Maintainer: ATTW    

Coordinator:
      Kostick, Deirdre  (DK71-ARIN)  help@IP.ATT.NET
      (888)613-6330    

Domain System inverse mapping provided by: 
   DBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.106
   DMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.70
   CBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.105
   CMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.69


===============================================================================

Snort processed 14 packets.
Breakdown by protocol:                Action Stats:

    TCP: 14         (100.000%)          ALERTS: 0         
    UDP: 0            (0.000%)          LOGGED: 0         
   ICMP: 0            (0.000%)          PASSED: 0         
    ARP: 0            (0.000%)
   IPv6: 0            (0.000%)
    IPX: 0            (0.000%)
  OTHER: 0            (0.000%)
===============================================================================


jsage@finchhaven.com
Last modified: Sun Feb 24 19:04:50 2002