RE: [fw-wiz] Odd scan to port 36867
From: Ben Nagy (ben_at_iagu.net)
To: "'SiegeX'" <email@example.com> Date: Tue, 16 Nov 2004 10:29:01 +0100
Could be malware activity, or someone scanning for backdoors / botnets. None
of the current big name malware uses that port by default AFAIK, but I guess
there could be variants.
Personally, I'd be interested in seeing more of the logs - there might be
patterns in the source port, IPID etc which often indicate that it's malware
generated. You can send those through to me direct if you don't want to bore
The TTL is 103 - that means it's odds on that this traffic came from a
Windows system. Default TTL is 64 on most of the unix / linux variants (it
could be VMS, but there are too many unique sources!). If your logs show
other packets with TTL 0<ttl<64 then it's almost certainly scanning activity
not malware, since it's cross platform.
rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe
seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
SANS Dshield is dead right now, but normally I would also check there, to
see if what you're seeing is backed up by a local / global increase. You
could also submit it to the handlers there, they do good Sherlock Holmes
work, if they've got time.
If this is what it looks like (perps scanning for non-standard backdoors)
then it would be good to investigate further. Then again it could just be
nothing, who knows.
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com] On Behalf Of SiegeX
> Sent: Monday, November 15, 2004 3:05 AM
> To: firstname.lastname@example.org
> Subject: [fw-wiz] Odd scan to port 36867
> Hi guys, I recently decided to write a simple bash script to
> go through all my iptables logs and see which ports were
> being hit the most. Note that I only logged NEW connections
> to ports that arnt open on my computer. Here are the top 10 results
> 495 36867
> Below is a sample from my
> iptables logs so you can see what Im parsing.
> Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT=
> SRC=18.104.22.168 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00
> TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867
> SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
> Just to make sure that this port is not being hit by one or
> two differnt guys, I parsed my logs to see how many unique
> ip's were hitting port 36867 and I came up with 173 unique
> Ive yet to cross reference the 173 unique IP's
> hitting port 36867 to Maxmind's database, but I have a strong
> feeling that they are comming from Germany. I hope you guys
> have a better clue whats going on than I do. Thanks.
firewall-wizards mailing list