Re: [fw-wiz] Odd scan to port 36867

Date: 11/24/04

  • Next message: Ralema Geno: "[fw-wiz] Help- Nat-t"
    To: "Ben Nagy" <>, "'SiegeX'" <>
    Date: Tue, 23 Nov 2004 23:13:07 -0500

    Lots of scans coming from home dsl users out of Canada lately. I've noticed
    a peak from there on my honeyp-t. Can't be biased though, they do come from

    Jerry Murtland
    ----- Original Message -----
    From: "Ben Nagy" <>
    To: "'SiegeX'" <>
    Cc: <>
    Sent: Tuesday, November 16, 2004 4:29 AM
    Subject: RE: [fw-wiz] Odd scan to port 36867

    > Could be malware activity, or someone scanning for backdoors / botnets.
    > None
    > of the current big name malware uses that port by default AFAIK, but I
    > guess
    > there could be variants.
    > Personally, I'd be interested in seeing more of the logs - there might be
    > patterns in the source port, IPID etc which often indicate that it's
    > malware
    > generated. You can send those through to me direct if you don't want to
    > bore
    > the list.
    > The TTL is 103 - that means it's odds on that this traffic came from a
    > Windows system. Default TTL is 64 on most of the unix / linux variants (it
    > could be VMS, but there are too many unique sources!). If your logs show
    > other packets with TTL 0<ttl<64 then it's almost certainly scanning
    > activity
    > not malware, since it's cross platform.
    > rDNS says this is so this _particular_ probe
    > seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
    > German.
    > SANS Dshield is dead right now, but normally I would also check there, to
    > see if what you're seeing is backed up by a local / global increase. You
    > could also submit it to the handlers there, they do good Sherlock Holmes
    > work, if they've got time.
    > If this is what it looks like (perps scanning for non-standard backdoors)
    > then it would be good to investigate further. Then again it could just be
    > nothing, who knows.
    > Cheers,
    > ben
    >> -----Original Message-----
    >> From:
    >> [] On Behalf Of SiegeX
    >> Sent: Monday, November 15, 2004 3:05 AM
    >> To:
    >> Subject: [fw-wiz] Odd scan to port 36867
    >> Hi guys, I recently decided to write a simple bash script to
    >> go through all my iptables logs and see which ports were
    >> being hit the most. Note that I only logged NEW connections
    >> to ports that arnt open on my computer. Here are the top 10 results
    >> 495 36867
    > [...]
    >> Below is a sample from my
    >> iptables logs so you can see what Im parsing.
    >> Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT=
    >> MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00
    >> SRC= DST=X.X.X.X LEN=48 TOS=00 PREC=0x00
    >> TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867
    >> SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0
    >> Just to make sure that this port is not being hit by one or
    >> two differnt guys, I parsed my logs to see how many unique
    >> ip's were hitting port 36867 and I came up with 173 unique
    >> IP's.
    > [...]
    >> Ive yet to cross reference the 173 unique IP's
    >> hitting port 36867 to Maxmind's database, but I have a strong
    >> feeling that they are comming from Germany. I hope you guys
    >> have a better clue whats going on than I do. Thanks.
    >> -Sean
    > _______________________________________________
    > firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Ralema Geno: "[fw-wiz] Help- Nat-t"