Re: Large increase in port 27347

From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 10/31/03

Previous message: Andre Ludwig: "RE: strange ftp site"
In reply to: Jeff Kell: "Re: Large increase in port 27347"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 31 Oct 2003 13:53:46 -0500
To: kyle.r.maxwell@verizon.com, incidents@securityfocus.com

Jeff Kell wrote:

> kyle.r.maxwell@verizon.com wrote:
>
>> As Mark pointed out, this activity is on TCP 27347, not TCP 27374.
>> Although I wonder if there's some scanning out there based on a typo
>> in the port number?
>
> We received a number of hits today to the same IP from a number of sources:
>
>> Oct 30 09:16:36.395 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 207.109.175.94(64462) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 09:21:06.752 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 24.121.8.71(4383) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 09:40:50.378 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 24.229.177.37(4165) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 10:44:25.997 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 24.238.68.114(4131) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 10:58:41.578 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 68.60.47.101(1941) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 11:33:51.109 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 68.79.5.17(3889) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 11:57:54.483 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 68.122.191.11(4771) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 12:28:41.678 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 68.52.149.156(4038) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 13:05:24.819 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 4.41.167.109(1181) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 15:38:19.290 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 68.8.239.92(2163) -> aa.bb.cc.dd(27347), 1 packet
>> Oct 30 15:45:50.710 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp
>> 65.93.88.39(3832) -> aa.bb.cc.dd(27347), 1 packet

Let me add to my own posting that the address attacked was a router, in
a subnet belonging to our provider. They are still occurring today, to
the same destination IP:

> Oct 31 04:14:25.771 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp 68.76.50.182(4593) -> aa.bb.cc.dd(27347), 1 packet
> Oct 31 05:00:16.595 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp 68.38.108.118(3341) -> aa.bb.cc.dd(27347), 1 packet
> Oct 31 06:11:33.595 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp 68.5.9.141(3301) -> aa.bb.cc.dd(27347), 1 packet
> Oct 31 07:48:10.154 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp 68.6.112.27(3239) -> aa.bb.cc.dd(27347), 1 packet
> Oct 31 12:14:14.993 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp 67.66.225.178(4223) -> aa.bb.cc.dd(27347), 1 packet
> Oct 31 12:30:43.715 EST: %SEC-6-IPACCESSLOGP: list ingress denied tcp 68.109.77.86(3115) -> aa.bb.cc.dd(27347), 1 packet

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Previous message: Andre Ludwig: "RE: strange ftp site"
In reply to: Jeff Kell: "Re: Large increase in port 27347"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Large increase in port 27347
... > the port number? ... We received a number of hits today to the same IP from a number of sources: ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Incidents)
Re: clients TCP port 256 hammered by several hosts
... only use for this port that I'm aware of is FW-1 (the port is registered ... Could be a coincidence (would need to see more traces to see if its ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Incidents)
RE: Probable Trojan.
... When you do a netstat -an from the command prompt, do you see the UDP ... "The Thief" Trojan runs on TCP port 1053, and since this is UDP I doubt ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Incidents)
Large increase in TCP/554 (rtsp) scans
... port 554, which is traditionally the rtsp ... I haven't seen any recent exploits for any streaming media products. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Incidents)
RE: CEH and Intense School
... Q-How many times has this course been delivered ... You want more than 4 to know the bugs are ironed out in labs and so on. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
(Pen-Test)