Is it just me, or have there been an excessive number of TCP port 9200 port scans ? Port 9200 seems to be associated with WAP & Lexmark printers, but what else ? I know Tom does not like identification, but most sources seem to resolve to Asia. Is there a new Trojan loose ? An example: Oct 7 19:16:18 mybox kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:03:47:48:77:8d:00:02:3b:02:68:b8:08:00 SRC=211.162.223.41 DST=ww.xx.yy.zz LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=61607 DF PROTO=TCP SPT=3321 DPT=9200 WINDOW=16384 RES=0x00 SYN URGP=0 I should be able to stop all those logs with blacklist entry: 0.0.0.0/0 tcp 9200 Is there any benefit to continue logging ? Has anyone else experienced this ? Is it attempting an exploit I may not have patched for ? - Bill
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill.Light@kp.org wrote:> Is it just me, or have there been an excessive number of TCP port 9200 > port scans ? >I''m not seeing it here or on my main firewall. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZtqpO/MAbZfjDLIRAjhFAKC5xUPlOEO+Snrl4Hr6vJAUU0aEVQCfVzob +1KOpGzgC2fKa7LNTxatYNM=cX0M -----END PGP SIGNATURE-----
Tom Eastep wrote on 08/10/2004 15:21:29:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Bill.Light@kp.org wrote: > > Is it just me, or have there been an excessive number of TCP port 9200 > > port scans ? > > > > I''m not seeing it here or on my main firewall. >sans report an increasing in this port since early october: http://isc.sans.org/port_details.php?port=9200 but this is a port used by wap gateways - do you have any? cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Tom Eastep wrote on 08/10/2004 15:21:29:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Bill.Light@kp.org wrote: > > Is it just me, or have there been an excessive number of TCP port 9200 > > port scans ? > > > > I''m not seeing it here or on my main firewall. >sans report an increasing in this port since early october: http://isc.sans.org/port_details.php?port=9200 but this is a port used by wap gateways - do you have any? cheers, Eduardo Ferreira =================================== No - As a matter of fact, I did read that. I was going to hook up a Cisco AP 350 that I got for a reasonable price, and have been studying Tom''s set up for a bridge...I''m dropping the probes, but it seems to be this last month that''s been unusually heavy... Oh Well - back to looking at Tom''s example Thanks