is this an attack ?!?!

[Nemo]

Sigh....
Today i have found Outpost memory occupation is around 48mb !!!
After a look to the attack section i have found this:

15/04/2002 15.51.57 Connection request 211.135.166.104 TCP(7777)
15/04/2002 15.51.54 Connection request 172.180.23.181 TCP(7777)
15/04/2002 15.51.49 Connection request 210.249.203.238 TCP(7777)
15/04/2002 15.51.44 Connection request 218.217.44.155 TCP(7777)
15/04/2002 15.51.39 Connection request 61.18.212.20 TCP(7777)
15/04/2002 15.51.36 Connection request 61.198.172.242 TCP(7777)
15/04/2002 15.51.35 Connection request 43.238.192.18 TCP(7777)
15/04/2002 15.51.02 Connection request 61.211.203.9 TCP(7777)
15/04/2002 15.50.54 Connection request 210.157.101.18 TCP(7777)
15/04/2002 15.50.40 Connection request 210.20.44.148 TCP(7777)
15/04/2002 15.50.34 Connection request 61.211.210.227 TCP(7777)
15/04/2002 15.50.32 Connection request 218.143.144.99 TCP(7777)
15/04/2002 15.50.24 Connection request 24.120.54.151 TCP(7777)
15/04/2002 15.50.17 Connection request 210.162.34.58 TCP(7777)
15/04/2002 15.49.40 Connection request 218.123.112.38 TCP(7777)
15/04/2002 15.49.24 Connection request 210.20.213.221 ICMP(2048)
15/04/2002 15.49.09 Connection request 210.20.213.221 TCP(7777)
15/04/2002 15.49.05 Connection request 43.238.192.18 TCP(7777)
15/04/2002 15.48.59 Connection request 210.159.243.44 TCP(7777)
15/04/2002 15.48.45 Connection request 43.236.84.43 TCP(7777)
15/04/2002 15.48.40 Connection request 211.16.126.62 TCP(7777)
15/04/2002 15.48.25 Connection request 80.116.243.168 TCP(3128)
15/04/2002 15.48.23 Connection request 210.231.110.81 TCP(7777)
15/04/2002 15.48.14 Connection request 210.20.44.148 TCP(7777)
15/04/2002 15.48.02 Connection request 80.138.162.187 TCP(7777)
15/04/2002 15.47.32 Connection request 165.76.81.67 TCP(7777)
15/04/2002 15.47.30 Connection request 210.57.135.210 TCP(7777)
15/04/2002 15.47.25 Connection request 210.149.220.225 TCP(7777)
15/04/2002 15.47.01 Connection request 217.29.64.3 TCP(7777)
15/04/2002 15.47.00 Connection request 210.249.203.238 TCP(7777)
15/04/2002 15.46.47 Connection request 218.43.2.117 TCP(7777)
15/04/2002 15.46.32 Connection request 210.197.104.16 TCP(7777)
15/04/2002 15.46.29 Connection request 202.209.152.34 TCP(7777)
15/04/2002 15.46.22 Connection request 61.122.35.192 TCP(7777)
15/04/2002 15.46.18 Connection request 43.232.84.246 TCP(7777)
15/04/2002 15.46.01 Connection request 61.26.144.53 TCP(7777)
15/04/2002 15.45.48 Connection request 210.20.44.148 TCP(7777)
15/04/2002 15.45.45 Connection request 80.139.154.146 TCP(7777)
15/04/2002 15.45.37 Connection request 211.16.126.62 TCP(7777)
15/04/2002 15.45.35 Connection request 147.122.61.18 TCP(7777)
15/04/2002 15.45.20 Connection request 218.230.161.4 TCP(7777)
15/04/2002 15.45.12 Connection request 61.213.70.198 TCP(7777)
15/04/2002 15.45.06 Connection request 211.6.102.75 TCP(7777)
15/04/2002 15.45.02 Connection request 218.112.238.7 TCP(7777)
15/04/2002 15.44.56 Connection request 203.247.168.232 TCP(7777)
15/04/2002 15.44.47 Connection request 62.42.133.236 TCP(7777)
15/04/2002 15.44.33 Connection request 218.224.141.69 TCP(7777)
15/04/2002 15.44.13 Connection request 210.249.203.238 TCP(7777)
15/04/2002 15.43.56 Connection request 202.247.95.195 TCP(7777)
15/04/2002 15.43.54 Connection request 61.207.79.11 TCP(7777)
15/04/2002 15.43.53 Connection request 80.135.107.110 TCP(7777)
15/04/2002 15.43.31 Connection request 218.114.56.180 TCP(7777)
15/04/2002 15.43.25 Connection request 210.20.44.148 TCP(7777)
15/04/2002 15.43.17 Connection request 61.18.212.20 TCP(7777)
15/04/2002 15.43.08 Connection request 210.225.14.69 TCP(7777)
15/04/2002 15.43.00 Connection request 218.220.80.132 TCP(7777)
15/04/2002 15.42.58 Connection request 61.198.172.242 TCP(7777)
15/04/2002 15.42.31 Connection request 210.197.104.16 TCP(7777)

[...]

What can i do to stop this ?!?
Thanks...

[root]

I've never seen anything like that before.
Are you running any P2P programs? Multiple addys all on port 7777 looks like replies from different machines all over the place.

[Nemo]

Quote:

Originally posted by root
I've never seen anything like that before.
Are you running any P2P programs? Multiple addys all on port 7777 looks like replies from different machines all over the place.

No, i have no P2P program active.
this is my 'netstat -a' results under XP:

Proto Indirizzo locale Indirizzo esterno Stato
TCP timework:smtp timework:0 LISTENING
TCP timework:auth timework:0 LISTENING
TCP timework:epmap timework:0 LISTENING
TCP timework:microsoft-ds timework:0 LISTENING
TCP timework:1024 timework:0 LISTENING
TCP timework:1025 timework:0 LISTENING
TCP timework:1029 timework:0 LISTENING
TCP timework:1039 timework:0 LISTENING
TCP timework:2491 timework:0 LISTENING
TCP timework:3389 timework:0 LISTENING
TCP timework:3628 timework:0 LISTENING
TCP timework:4500 timework:0 LISTENING
TCP timework:5800 timework:0 LISTENING
TCP timework:5900 timework:0 LISTENING
TCP timework:24837 timework:0 LISTENING
TCP timework:3628 205.188.10.21:5190 ESTABLISHED
TCP timework:4571 newsreader.mailgate.org:nntp TIME_WAIT
TCP timework:4572 newsreader.mailgate.org:nntp TIME_WAIT
TCP timework:4574 pop.libero.itop3 TIME_WAIT
TCP timework:4575 mail1c.webmessenger.itop3 TIME_WAIT
TCP timework:4576 newsreader.mailgate.org:nntp TIME_WAIT
TCP timework:4578 pop09-acc.tin.itop3 TIME_WAIT
TCP timework:4579 pop09-acc.tin.itop3 TIME_WAIT
TCP timework:4581 62.241.4.1op3 TIME_WAIT
TCP timework:4582 ns1.register.itop3 TIME_WAIT
TCP timework:4584 mail1c.webmessenger.itop3 TIME_WAIT
TCP timework:4585 newsreader.mailgate.org:nntp TIME_WAIT
TCP timework:nntp localhost:4323 TIME_WAIT
TCP timework:1024 localhost:1039 ESTABLISHED
TCP timework:1039 localhost:1024 ESTABLISHED
UDP timework:epmap *:*
UDP timework:microsoft-ds *:*
UDP timework:isakmp *:*
UDP timework:1026 *:*
UDP timework:1034 *:*
UDP timework:1453 *:*
UDP timework:1454 *:*
UDP timework:4194 *:*
UDP timework:ntp *:*
UDP timework:ntp *:*
UDP timework:4441 *:*
UDP timework:ntp *:*

as you can see, i have no progrma lissenig or other under port 7777..

and the attack still continue :-(

[root]

Only thing I can think of is I notice you have several pop3 ports in time wait status, which means they are waiting for replies.
Do you have an email server? Can you enlighten me on all that pop3 stuff?

[Nemo]

Quote:

Originally posted by root
Only thing I can think of is I notice you have several pop3 ports in time wait status, which means they are waiting for replies.
Do you have an email server? Can you enlighten me on all that pop3 stuff?

Yes, thi is correct, i'm using The Bat! email client with multi account support, so it is normal all this pop3 activity :-)

Another program that i use is Advanced Direct Remailer , it is a local mail server (but it only 'listen' localhost ip address.
Other incoming requests are blocked also by outpost.

So i have nothing that explains all this activity on my port 7777.
I have also changed my IP (dynamic IP) but when i have reconnect to my ISP, tha attack is start again....

[root]

Did this just start? Install any new programs?
Whats yours OS and version of Outpost? What programs are loaded at startup?
You have something broadcasting and getting replies on port 7777 it looks like to me, since you changed your IP.

[Nemo]

Quote:

Originally posted by root
Did this just start? Install any new programs?
Whats yours OS and version of Outpost? What programs are loaded at startup?
You have something broadcasting and getting replies on port 7777 it looks like to me, since you changed your IP.

my previuos 2 Ip was:

xxx.xxx.254.255
xxx.xxx.254.225

now, i have a totally different IP (xxx.xxx.11.136) and the attack stops at the end ;-)
I think someone have attacked the entire subnet

[MegaHertz]

Hackers can spoof UDP packets to this port in order to control the cable-modem. This came from NetworkIce's website. Not saying that this is what is happening, but anything is possible.

There is also a thread on Acute Murder Squad Forums dicussing servers that use port 7777. Looks like they maybe games servers. Anyways just thought it was interesting.

[Le Prechaun]

Nemo,

I'm inclined to believe that it's quite "normal" internet behavior. Sometimes, with dynamic IPs, it appears that the preceding owner of the same IP has had some server running on some port (on port 7777 in your case). After he disconnected, you inherited all the connection requests...

I have often seen the same behavior here with my ISP and dynamic IPs. It's most often port 1214 here (usually KaZaa), and sometimes there may be several hundreds of requests an hour. I have even turned off the logging of this particular port, as I know Outpost blocks it anyway . If it gets too irritating and seems to slow down my own traffic, I may disconnect and reconnect after a while. And "after a while", because some ISPs (mine included) have the policy to give you the same IP if you reconnect immediately.

Another issue is how Outpost seems to grab the more memory the more log actions take place. But I guess this has something to do with the "known bug" that has been discussed here and there...

[Nemo]

Quote:

Originally posted by Le Prechaun
Nemo,

I'm inclined to believe that it's quite "normal" internet behavior. Sometimes, with dynamic IPs, it appears that the preceding owner of the same IP has had some server running on some port (on port 7777 in your case). After he disconnected, you inherited all the connection requests...
[...]
slow down my own traffic, I may disconnect and reconnect after a while. And "after a while", because some ISPs (mine included) have the policy to give you the same IP if you reconnect immediately.

Yes, i think your right...
My ISP have the same behavior, my IP change only after a while (about 10min.)

Thanks to all for support and ideas ! :-)

[Diniska]

Quote:

Originally posted by Le Prechaun
Another issue is how Outpost seems to grab the more memory the more log actions take place. But I guess this has something to do with the "known bug" that has been discussed here and there...

Yes! High memory usage is know issue.
New logging system will be completely rewritten...