[fw-wiz] Odd scan to port 36867

From: SiegeX (siegex_at_atozcomp.com)
Date: 11/15/04

  • Next message: Ben Nagy: "RE: [fw-wiz] Odd scan to port 36867"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Sun, 14 Nov 2004 18:04:43 -0800
    
    

    Hi guys, I recently decided to write a simple bash script to go through all my iptables logs and see which ports were being hit the most. Note that I only logged NEW connections to ports that arnt open on my computer. Here are the top 10 results

    495 36867
    54 1080
    51 6348
    16 1433
    13 6588
    13 3128
     9 4899
     9 3777
     9 3291
     8 8080
     8 3802

    As you can see Im getting an abundance of hits to port 36867 and ive googled and asked on many IRC channels what this might be about and ive yet to come up with anything. I'm posting on this mailing list in hopes you guys could shed some light on whats going on here. Below is a sample from my iptables logs so you can see what Im parsing.

    Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT= MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00 SRC=142.177.185.232 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00 TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867 SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0

    Just to make sure that this port is not being hit by one or two differnt guys, I parsed my logs to see how many unique ip's were hitting port 36867 and I came up with 173 unique IP's. Im also one of the beta testers for a new Iptables module called "geoip" which takes the src/dst IP and does a hash lookup on Maxmind's free ip->country database. This allows me to do accounting on which countries send me the most packets to unopen ports and here is the results ive found after running it for a week:

    271DE
    135US
    96FR
    93CN
    53KR
    47BE
    43GB
    33MX
    28NL
    27IT

    As you can see, the majority are comming from Germany (DE), with the US surprisingly in 2nd place with just about half the hits. Ive yet to cross reference the 173 unique IP's hitting port 36867 to Maxmind's database, but I have a strong feeling that they are comming from Germany. I hope you guys have a better clue whats going on than I do. Thanks.

    -Sean
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ben Nagy: "RE: [fw-wiz] Odd scan to port 36867"

    Relevant Pages

    • Re: Win 2K3 Remote Desktop...cant connect from the net
      ... | domain forwarder that I use to hit my machines from outside home. ... | appropriate ports. ... I can hit my XP box with the forwarded ... The address doesn't resolve in MSTSC when I point to my 2K3 box, ...
      (microsoft.public.windows.server.general)
    • Re: Missing header file from gcc
      ... I hit this issue recently, ... > ffmepg 0.4.8 in ports and HEAD version from CVS compiled and worked ...
      (freebsd-current)
    • Win 2K3 Remote Desktop...cant connect from the net
      ... domain forwarder that I use to hit my machines from outside home. ... appropriate ports. ...
      (microsoft.public.windows.server.general)
    • Re: FC-1 firewall script for bittorrent
      ... Go to the command prompt. ... If you aren't root then su - and hit enter and put in the root ... >workarounds to open up ports 6881-6889. ... >but I thought that was more to do with slow seeders, ...
      (Fedora)
    • Re: HEADSUP: X.Org conversion
      ... the final version of the X.Org conversion patch has hit the tree. ... >> No ports appear to be broken by the upgrade at this time. ...
      (freebsd-current)