Re: Scans on port 17107
From: Myself (nobody_at_noplace.com)
Date: 11/26/05
- Previous message: Grant: "Re: Scans on port 17107"
- In reply to: Moe Trin: "Re: Scans on port 17107"
- Next in thread: Moe Trin: "Re: Scans on port 17107"
- Reply: Moe Trin: "Re: Scans on port 17107"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Nov 2005 19:32:22 -0600
On Fri, 25 Nov 2005 17:44:49 -0600, Moe Trin wrote:
> On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in
> article <dm8541$mcl$1@bn2.blue.net>, Myself wrote:
>
>>Yesterday, over a course of about 3 minutes, my firewall logged 1366
>>hits on port 17107. This occurred immediately after connecting, and from
>>1255 different sources. Some were TCP and others UDP.
>
> Hard to say - seeing both TCP and UDP to the same port number (other than
> occasionally on 53 for DNS) is unusual.
That seemed a bit odd to me.
> 17107 is a 'user-land' port,
> meaning it's not a regular server. The "standard" answer for your
> observation is that the person who had that IP number before you was
> running a server of some kind - I'd suspect a game server of some kind,
> but that's purely a guess.
This is what I suspect. As I said in my original post, I often get a
series of hits on some single port (and not any certain one), and I have
always come to the conclusion that it is from the previous port. However,
the number of these did get my attention. I use fwlogwatch and it send me
an email report. When I opened mutt and saw the report with over 1000
lines, I did notice :)
> I really don't think I'd worry about it. You have nothing
running on
> that port, so there is nothing to exploit.
Right. I have no open incoming ports to my knowledge. I've had them
checked on several of the security sites.
>>I tried to do a Google search on port 17107 but couldn't find anything,
>>and I don't have anything in /etc/services or another listing of ports
>>that I have.
>
> As above. Try http://www.iana.org/assignments/port-numbers to get the
> official list,
I have a second list besides /etc/services, and I believe it is from
there.. It dates back to 2002 (could update), but I check with it in
addition to /etc/services.
> but remember there is no force of law behind that. If someone wants to
> run a mail server on 17107, they could. Most people wouldn't know it
> exists there, because you look for "well known services" on "well known
> ports" in this case 25. Also, no windoze virus writer has ever
> registered his worm/trojan/what-ever with IANA.
True. But often it can give you a clue to what it might be.
Did two of my original posts show up on the list? For some reason, I got
two, showing a difference of 2 seconds, I believe...
- Previous message: Grant: "Re: Scans on port 17107"
- In reply to: Moe Trin: "Re: Scans on port 17107"
- Next in thread: Moe Trin: "Re: Scans on port 17107"
- Reply: Moe Trin: "Re: Scans on port 17107"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
