We've noticed in the dshield data and from some of our users, that there was a very large spike in activity on TCP port 32000 yesterday. While it appears that the vast majority of this traffic seems to be coming from one source IP, it also seems to have hit a large chunk of internet address space. At this point, the spike may very well be over, but if anyone has more than just SYN packets (like had a netcat listener on that port) and can share the packets with us so we can try to figure out what application they might have been looking for, please submit via the contact page.
Jim Clausing, jclausing -- at -- isc dot sans dot org
I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS New York City 2019
Dec 29th 2006
1 decade ago