[fw-wiz] Odd scan to port 36867
From: SiegeX (siegex_at_atozcomp.com)
To: <firstname.lastname@example.org> Date: Sun, 14 Nov 2004 18:04:43 -0800
Hi guys, I recently decided to write a simple bash script to go through all my iptables logs and see which ports were being hit the most. Note that I only logged NEW connections to ports that arnt open on my computer. Here are the top 10 results
As you can see Im getting an abundance of hits to port 36867 and ive googled and asked on many IRC channels what this might be about and ive yet to come up with anything. I'm posting on this mailing list in hopes you guys could shed some light on whats going on here. Below is a sample from my iptables logs so you can see what Im parsing.
Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT= MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00 SRC=18.104.22.168 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00 TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867 SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
Just to make sure that this port is not being hit by one or two differnt guys, I parsed my logs to see how many unique ip's were hitting port 36867 and I came up with 173 unique IP's. Im also one of the beta testers for a new Iptables module called "geoip" which takes the src/dst IP and does a hash lookup on Maxmind's free ip->country database. This allows me to do accounting on which countries send me the most packets to unopen ports and here is the results ive found after running it for a week:
As you can see, the majority are comming from Germany (DE), with the US surprisingly in 2nd place with just about half the hits. Ive yet to cross reference the 173 unique IP's hitting port 36867 to Maxmind's database, but I have a strong feeling that they are comming from Germany. I hope you guys have a better clue whats going on than I do. Thanks.
firewall-wizards mailing list