Re: [fw-wiz] Odd scan to port 36867
From: JERRY MURTLAND (jmurtlan_at_insight.rr.com)
To: "Ben Nagy" <email@example.com>, "'SiegeX'" <firstname.lastname@example.org> Date: Tue, 23 Nov 2004 23:13:07 -0500
Lots of scans coming from home dsl users out of Canada lately. I've noticed
a peak from there on my honeyp-t. Can't be biased though, they do come from
----- Original Message -----
From: "Ben Nagy" <email@example.com>
To: "'SiegeX'" <firstname.lastname@example.org>
Sent: Tuesday, November 16, 2004 4:29 AM
Subject: RE: [fw-wiz] Odd scan to port 36867
> Could be malware activity, or someone scanning for backdoors / botnets.
> of the current big name malware uses that port by default AFAIK, but I
> there could be variants.
> Personally, I'd be interested in seeing more of the logs - there might be
> patterns in the source port, IPID etc which often indicate that it's
> generated. You can send those through to me direct if you don't want to
> the list.
> The TTL is 103 - that means it's odds on that this traffic came from a
> Windows system. Default TTL is 64 on most of the unix / linux variants (it
> could be VMS, but there are too many unique sources!). If your logs show
> other packets with TTL 0<ttl<64 then it's almost certainly scanning
> not malware, since it's cross platform.
> rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe
> seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
> SANS Dshield is dead right now, but normally I would also check there, to
> see if what you're seeing is backed up by a local / global increase. You
> could also submit it to the handlers there, they do good Sherlock Holmes
> work, if they've got time.
> If this is what it looks like (perps scanning for non-standard backdoors)
> then it would be good to investigate further. Then again it could just be
> nothing, who knows.
>> -----Original Message-----
>> From: email@example.com
>> [mailto:firstname.lastname@example.org] On Behalf Of SiegeX
>> Sent: Monday, November 15, 2004 3:05 AM
>> To: email@example.com
>> Subject: [fw-wiz] Odd scan to port 36867
>> Hi guys, I recently decided to write a simple bash script to
>> go through all my iptables logs and see which ports were
>> being hit the most. Note that I only logged NEW connections
>> to ports that arnt open on my computer. Here are the top 10 results
>> 495 36867
>> Below is a sample from my
>> iptables logs so you can see what Im parsing.
>> Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT=
>> SRC=22.214.171.124 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00
>> TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867
>> SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
>> Just to make sure that this port is not being hit by one or
>> two differnt guys, I parsed my logs to see how many unique
>> ip's were hitting port 36867 and I came up with 173 unique
>> Ive yet to cross reference the 173 unique IP's
>> hitting port 36867 to Maxmind's database, but I have a strong
>> feeling that they are comming from Germany. I hope you guys
>> have a better clue whats going on than I do. Thanks.
> firewall-wizards mailing list
firewall-wizards mailing list