I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :) My home router sends its logs to the rsyslog on my desktop system, and from there I can learn all kinds of interesting (or disturbing) things. I've written a really horrid shellscript (about 20 things piped together with a temp file in the middle) to give me the count of DROP events for specific incoming ports. (The "Description" field is lifted verbatim from /etc/services.) Count Port Description ----- ---- ----------- 140750 48825 12251 23 telnet 23/tcp 10043 445 microsoft-ds 445/tcp 2869 1 tcpmux 1/tcp # TCP port service multiplexer 2478 9 discard 9/tcp sink null 2154 8080 webcache 8080/tcp http-alt # WWW caching service 1990 5060 sip 5060/tcp # SIP 1592 8089 1452 8545 1358 3389 ms-wbt-server 3389/tcp # MS WBT Server 1275 443 https 443/tcp # http protocol over TLS/SSL 1275 81 1258 5000 commplex-main 5000/tcp # 1244 80 http 80/tcp www www-http # WorldWideWeb HTTP 1022 8291 840 60001 834 7547 cwmp 7547/tcp # DSL Forum CWMP 821 1433 ms-sql-s 1433/tcp # Microsoft-SQL-Server 809 2323 3d-nfsd 2323/tcp # 3d-nfsd 764 5555 personal-agent 5555/tcp # Personal Agent This is just the first screen of it, there are many more. The data compiled here is for the last month (rsyslog is keeping the current log plus four older logs). I find it disturbing that there were 12251 attempts at telnet during that time, 2154 on 8080, and so forth. either I'm some kind of special/hot target, or else everybody gets this kind of crap and may not even know it. But the one thing I mean to ask about here is the very first item, 140,750 attempts at port 48825. What the heck is port 48825? I can't find any reference to anything that uses it online, but for some reason it is extremely popular, at least amongst the turkeys trying to break into my network! A little more grepping: grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less reveals that of all the source addresses trying to poke at 48825, there are 193 unique addresses. Either this indicates a heck of a lot of sites having at my firewall, or that some few sites are all spoofing their addresses. I can sort of understand people whaling away at ports that may conceal gold, from their warped point of view, but I haven't a clue why so many people would be beating on some apparently unassigned and unused port. Anyone got any clues? Thanks in advance! Fred -- ------------------------------------------------------------------------------- .---- Fred Smith / ( /__ ,__. __ __ / __ : / / / / /__) / / /__) .+' Home: fredex at fcshome.stoneham.ma.us / / (__ (___ (__(_ (___ / :__ 781-438-5471 -------------------------------- Jude 1:24,25 ---------------------------------
On Thu, Aug 1, 2019 at 8:53 PM Fred Smith <fredex at fcshome.stoneham.ma.us> wrote:> ....reveals that of all the source addresses trying to poke at 48825,> there are 193 unique addresses. Either this indicates a heck of a lot > of sites having at my firewall, or that some few sites are all spoofing > their addresses. I can sort of understand people whaling away at ports > that may conceal gold, from their warped point of view, but I haven't a > clue why so many people would be beating on some apparently unassigned > and unused port. >distributed botnets.... its all noise. -- -john r pierce recycling used bits in santa cruz
On 02/08/2019 04:58, John Pierce wrote:> On Thu, Aug 1, 2019 at 8:53 PM Fred Smith <fredex at fcshome.stoneham.ma.us> > wrote: > >> .... > reveals that of all the source addresses trying to poke at 48825, >> there are 193 unique addresses. Either this indicates a heck of a lot >> of sites having at my firewall, or that some few sites are all spoofing >> their addresses. I can sort of understand people whaling away at ports >> that may conceal gold, from their warped point of view, but I haven't a >> clue why so many people would be beating on some apparently unassigned >> and unused port. >> > > distributed botnets.... its all noise. > > >One of the nice things about IPv6, is that the address space is so vast and sparse, that it isn't feasible to scan it in the way IPv4 gets scanned, so if we ever get round to moving to IPv6 this sort of stuff will go away.
> This is just the first screen of it, there are many more. The data > compiled here is for the last month (rsyslog is keeping the current > log plus four older logs). I find it disturbing that there were 12251 > attempts at telnet during that time, 2154 on 8080, and so forth. either > I'm some kind of special/hot target, or else everybody gets this kind > of crap and may not even know it.The raw internet is a very noisy, nasty place. That's why we have firewalls! FYI, telnet (as you realise) is old, but the old machines that are still running it are eminently and easily hackable - it may be your IP has got on a list of old SGI boxes. 8080 probes are looking for open web proxies, 5060 is looking for open voip systems and so on.> > But the one thing I mean to ask about here is the very first item, > 140,750 attempts at port 48825. What the heck is port 48825? I can't > find any reference to anything that uses it online, but for some reason > it is extremely popular, at least amongst the turkeys trying to break > into my network! > > reveals that of all the source addresses trying to poke at 48825, > there are 193 unique addresses. Either this indicates a heck of a lot > of sites having at my firewall, or that some few sites are all spoofing > their addresses. I can sort of understand people whaling away at ports > that may conceal gold, from their warped point of view, but I haven't a > clue why so many people would be beating on some apparently unassigned > and unused port. >As you say 48825 is not a known port and too low to be a dynamic port. I suspect it's a command/control port for a botnet - they aren't particular renowned for their elegance and subtlety and so it might be that your IP address (if it's a DSL line) in the past had been compromised and was running a bot controller and all the bot workers on hacked machines are trying to contact their controller to find out what to do. Certainly all the monitoring sites I've looked at see almost zero traffic on that port (zero = less than 10 packets a day). Just be thankful that you have a working firewall in place! P.
On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote:> > > This is just the first screen of it, there are many more. The data > > compiled here is for the last month (rsyslog is keeping the current > > log plus four older logs). I find it disturbing that there were 12251 > > attempts at telnet during that time, 2154 on 8080, and so forth. either > > I'm some kind of special/hot target, or else everybody gets this kind > > of crap and may not even know it. > > The raw internet is a very noisy, nasty place. That's why we have > firewalls! FYI, telnet (as you realise) is old, but the old machines > that are still running it are eminently and easily hackable - it may be > your IP has got on a list of old SGI boxes. 8080 probes are looking for > open web proxies, 5060 is looking for open voip systems and so on. > > > > > But the one thing I mean to ask about here is the very first item, > > 140,750 attempts at port 48825. What the heck is port 48825? I can't > > find any reference to anything that uses it online, but for some reason > > it is extremely popular, at least amongst the turkeys trying to break > > into my network! > > > > reveals that of all the source addresses trying to poke at 48825, > > there are 193 unique addresses. Either this indicates a heck of a lot > > of sites having at my firewall, or that some few sites are all spoofing > > their addresses. I can sort of understand people whaling away at ports > > that may conceal gold, from their warped point of view, but I haven't a > > clue why so many people would be beating on some apparently unassigned > > and unused port. > > > As you say 48825 is not a known port and too low to be a dynamic port. > I suspect it's a command/control port for a botnet - they aren't > particular renowned for their elegance and subtlety and so it might be > that your IP address (if it's a DSL line) in the past had been > compromised and was running a bot controller and all the bot workers on > hacked machines are trying to contact their controller to find out what > to do. Certainly all the monitoring sites I've looked at see almost > zero traffic on that port (zero = less than 10 packets a day).Nope, I've never had a DSL line. was dialup to a local ISP for some years until a cable company that would provide what I wanted (instead of insisting on selling me what I didn't want) ran fiber down the street, and was willing to sell me a static IP address. right now my memory fails me as to exactly when that was, but it may have been as much as 20 years ago, certainly at least 15. so I've had that address for long enough that there shouldn't be any botnets thinking that I am one of its command/control servers. but the amount of attempted traffic on that port certainly does seem like it could be a botnet banging on me.> Just be thankful that you have a working firewall in place!Amen! -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- God made him who had no sin to be sin for us, so that in him we might become the righteousness of God." --------------------------- Corinthians 5:21 ---------------------------------
Can't help with the mystery port 48825. But I find your approach truly creative! -- Kay On 8/1/19 8:53 PM, Fred Smith wrote:> I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :) > > My home router sends its logs to the rsyslog on my desktop system, and > from there I can learn all kinds of interesting (or disturbing) things. > I've written a really horrid shellscript (about 20 things piped together > with a temp file in the middle) to give me the count of DROP events for > specific incoming ports. (The "Description" field is lifted verbatim from > /etc/services.) > > Count Port Description > ----- ---- ----------- > 140750 48825 > 12251 23 telnet 23/tcp > 10043 445 microsoft-ds 445/tcp > 2869 1 tcpmux 1/tcp # TCP port service multiplexer > 2478 9 discard 9/tcp sink null > 2154 8080 webcache 8080/tcp http-alt # WWW caching service > 1990 5060 sip 5060/tcp # SIP > 1592 8089 > 1452 8545 > 1358 3389 ms-wbt-server 3389/tcp # MS WBT Server > 1275 443 https 443/tcp # http protocol over TLS/SSL > 1275 81 > 1258 5000 commplex-main 5000/tcp # > 1244 80 http 80/tcp www www-http # WorldWideWeb HTTP > 1022 8291 > 840 60001 > 834 7547 cwmp 7547/tcp # DSL Forum CWMP > 821 1433 ms-sql-s 1433/tcp # Microsoft-SQL-Server > 809 2323 3d-nfsd 2323/tcp # 3d-nfsd > 764 5555 personal-agent 5555/tcp # Personal Agent > > This is just the first screen of it, there are many more. The data > compiled here is for the last month (rsyslog is keeping the current > log plus four older logs). I find it disturbing that there were 12251 > attempts at telnet during that time, 2154 on 8080, and so forth. either > I'm some kind of special/hot target, or else everybody gets this kind > of crap and may not even know it. > > But the one thing I mean to ask about here is the very first item, > 140,750 attempts at port 48825. What the heck is port 48825? I can't > find any reference to anything that uses it online, but for some reason > it is extremely popular, at least amongst the turkeys trying to break > into my network! > > A little more grepping: > > grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less > > reveals that of all the source addresses trying to poke at 48825, > there are 193 unique addresses. Either this indicates a heck of a lot > of sites having at my firewall, or that some few sites are all spoofing > their addresses. I can sort of understand people whaling away at ports > that may conceal gold, from their warped point of view, but I haven't a > clue why so many people would be beating on some apparently unassigned > and unused port. > > Anyone got any clues? > > Thanks in advance! > > Fred