Bots and Random Port Traffic

Hacking, Networks, Threat

I don’t know how many people actually look through firewall logs, or have a firewall that produces a log of what and who is hitting your computer.

For those that do (especially you Vista users), you might wanna look.

I recently installed the beta for SP3 for Windows XP (beta tester, some times good, some times bad), and I have noticed that recently I am getting pings, and other traffic from all manner of sources.

Here is a list of a few of them (I will mention the out bound in a few moments):

  • Ministry of Health
  • Verestar
  • JP Morgan Financial
  • Harbin City Government Information Center
  • Computer Science Corporation
  • General Electric
  • HP
  • Apple (might be able to write that off because I have an apple router)
  • Halliburton
  • Lucent Tech
  • Time Warner
  • IBM Headquarters
  • Levi Strauss & co
  • AT&T Global Network services

And here are some that should worry people about how secure our government computers are:

  • Department of Defense
  • National Gaurd 

Those are all just random fluff traffic.

Its very random. main ports I have seen that are hit are 21 (ftp), 23 (telnet), 25 (smtp), 80 (web), 445 (windows network stuff), and 5900 (vnc).

While that doesnt mean much to a lot of people, I does concern me.

The fact that computers at these various places all are running around as mindless bots spamming computers isnt cool.

I remember talking with root and he was seeing broadcast traffic as MSN messenger traffic (he uses linux so it wasnt going to do anything).

I think its odd and I wish that I could do something about it.

If anyone else sees traffic that just looks funny,  Let me know.

I want to see how many people are getting random spam.

Also, for the outbound… lots of stuff to Microsoft…

I’d also like to mention, I don’t go out there and download porn or much of anything else (the occasional software update or trial but thats it).

Most of what I do is work related, things like web design or research, and the occasional hit or 2 on facebook.



3 Responses

  1. root  •  January 30, 2008 @11:10 am

    Slight Correction
    Actually, what I was seeing was Windows “popup” messages, which on a windows machine, will pop up looking like an alert from the operating system. Lots of traffic like “You’re computer has a virus, click here to remove it” that directs you to a webpage that tries to drive-by download a ton of malware onto your machine.
    It just goes to show, that as a platform, Windows is insecure.

  2. root  •  January 30, 2008 @1:06 pm

    and one other thought…
    About six years ago, a commercial client I was doing work for had one of their web servers hacked.
    I was called in to deal with the issue, (lots to say there, but we’ll save that for some other war story) but while I was rebuilding the server, the hacker who’d broken in tried to get back in.
    He couldn’t, because I’d closed the hole he’d used to get into the system. The next thing I know, we’re being DDOSed (Distributed Denial of Service attack) as Mr. Hacker from former Soviet nation throws a temper tantrum at being locked out.
    I started logging what machines were taking part in the DDOS, and the list was quite interesting.
    Computers from the Federal Reserve, a machine named Godzilla in the Army’s network, machines from hospitals, TVA, banks, and other companies that I won’t mention.
    All in all, over 2,500 machines trying to knock this server back off the network.
    Over the next few days, I spent a lot of time talking to the organizations who had affected machines, but the network administrator for the Army, and the Federal Reserve folks I spoke to, were most surprised that their machines were involved.

  3. axis  •  January 30, 2008 @1:12 pm

    my point.
    Id like to know why all of these various machines are trying to talk to my machine.. When my machine is merely sitting there doing nothing. (I have it DMZ’d so that it will run a little web and ftp server for my own use with school, but its interesting to know that these machines are trying to talk to my network.) And remember these logs are from like the span of a week, though they usualy all try to hit in a clump, which is why Im thinking its bots doing it.

Leave a Reply

Allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>