On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote:> > > This is just the first screen of it, there are many more. The data > > compiled here is for the last month (rsyslog is keeping the current > > log plus four older logs). I find it disturbing that there were 12251 > > attempts at telnet during that time, 2154 on 8080, and so forth. either > > I'm some kind of special/hot target, or else everybody gets this kind > > of crap and may not even know it. > > The raw internet is a very noisy, nasty place. That's why we have > firewalls! FYI, telnet (as you realise) is old, but the old machines > that are still running it are eminently and easily hackable - it may be > your IP has got on a list of old SGI boxes. 8080 probes are looking for > open web proxies, 5060 is looking for open voip systems and so on. > > > > > But the one thing I mean to ask about here is the very first item, > > 140,750 attempts at port 48825. What the heck is port 48825? I can't > > find any reference to anything that uses it online, but for some reason > > it is extremely popular, at least amongst the turkeys trying to break > > into my network! > > > > reveals that of all the source addresses trying to poke at 48825, > > there are 193 unique addresses. Either this indicates a heck of a lot > > of sites having at my firewall, or that some few sites are all spoofing > > their addresses. I can sort of understand people whaling away at ports > > that may conceal gold, from their warped point of view, but I haven't a > > clue why so many people would be beating on some apparently unassigned > > and unused port. > > > As you say 48825 is not a known port and too low to be a dynamic port. > I suspect it's a command/control port for a botnet - they aren't > particular renowned for their elegance and subtlety and so it might be > that your IP address (if it's a DSL line) in the past had been > compromised and was running a bot controller and all the bot workers on > hacked machines are trying to contact their controller to find out what > to do. Certainly all the monitoring sites I've looked at see almost > zero traffic on that port (zero = less than 10 packets a day).Nope, I've never had a DSL line. was dialup to a local ISP for some years until a cable company that would provide what I wanted (instead of insisting on selling me what I didn't want) ran fiber down the street, and was willing to sell me a static IP address. right now my memory fails me as to exactly when that was, but it may have been as much as 20 years ago, certainly at least 15. so I've had that address for long enough that there shouldn't be any botnets thinking that I am one of its command/control servers. but the amount of attempted traffic on that port certainly does seem like it could be a botnet banging on me.> Just be thankful that you have a working firewall in place!Amen! -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- God made him who had no sin to be sin for us, so that in him we might become the righteousness of God." --------------------------- Corinthians 5:21 ---------------------------------
Fred Smith wrote:> On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote: > >> >>> This is just the first screen of it, there are many more. The data >>> compiled here is for the last month (rsyslog is keeping the current log >>> plus four older logs). I find it disturbing that there were 12251 >>> attempts at telnet during that time, 2154 on 8080, and so forth. >>> either I'm some kind of special/hot target, or else everybody gets >>> this kind of crap and may not even know it.<snip>>>> But the one thing I mean to ask about here is the very first item, >>> 140,750 attempts at port 48825. What the heck is port 48825? I can't >>> find any reference to anything that uses it online, but for some >>> reason it is extremely popular, at least amongst the turkeys trying to >>> break into my network! >>> >>> reveals that of all the source addresses trying to poke at 48825, >>> there are 193 unique addresses. Either this indicates a heck of a lot >>> of sites having at my firewall, or that some few sites are all >>> spoofing their addresses. I can sort of understand people whaling away >>> at ports that may conceal gold, from their warped point of view, but I >>> haven't a clue why so many people would be beating on some apparently >>> unassigned and unused port. >>> >> As you say 48825 is not a known port and too low to be a dynamic port. >> I suspect it's a command/control port for a botnet - they aren't >> particular renowned for their elegance and subtlety and so it might be >> that your IP address (if it's a DSL line) in the past had been >> compromised and was running a bot controller and all the bot workers on >> hacked machines are trying to contact their controller to find out >> what to do. Certainly all the monitoring sites I've looked at see >> almost zero traffic on that port (zero = less than 10 packets a day). > > Nope, I've never had a DSL line. was dialup to a local ISP for some > years until a cable company that would provide what I wanted (instead of > insisting on selling me what I didn't want) ran fiber down the street, and > was willing to sell me a static IP address. right now my memory fails me > as to exactly when that was, but it may have been as much as 20 years ago, > certainly at least 15. so I've had that address for long enough that there > shouldn't be any botnets thinking that I am one of its command/control > servers. > > but the amount of attempted traffic on that port certainly does seem like > it could be a botnet banging on me. > >> Just be thankful that you have a working firewall in place! >>You want a perfectly silly... and perfectly believable thought? I've seen attempts against our outward-facing servers these last 10 years... and I've seen enough where the idiot script kiddies were so stupid that they couldn't manage to read the directions enough to at least salt the autogenerated name. The result was "user@" or a blank where there should be a name. So, I'm wondering if someone botnet got screwed up... and it's going to the *wrong* address for its command and control. If so, sorry it's hitting you, but thank you for taking a hundred thousand or so for all of us. mark
On 02/08/2019 14:12, Fred Smith wrote:> > but the amount of attempted traffic on that port certainly does seem > like it could be a botnet banging on me.One thing that you could try is to port forward that port to an actual listening port (think like running nc/netcat in listening mode). That way it will complete the TCP handshake and you can see what commands (if any) it sends, might be useful to record it with tcpdump / wireshark.
On Fri, Aug 02, 2019 at 09:28:23AM -0400, mark wrote:> Fred Smith wrote: > > On Fri, Aug 02, 2019 at 08:22:06AM +0100, Pete Biggs wrote: > > > >> > >>> This is just the first screen of it, there are many more. The data > >>> compiled here is for the last month (rsyslog is keeping the current log > >>> plus four older logs). I find it disturbing that there were 12251 > >>> attempts at telnet during that time, 2154 on 8080, and so forth. > >>> either I'm some kind of special/hot target, or else everybody gets > >>> this kind of crap and may not even know it. > <snip> > >>> But the one thing I mean to ask about here is the very first item, > >>> 140,750 attempts at port 48825. What the heck is port 48825? I can't > >>> find any reference to anything that uses it online, but for some > >>> reason it is extremely popular, at least amongst the turkeys trying to > >>> break into my network! > >>> > >>> reveals that of all the source addresses trying to poke at 48825, > >>> there are 193 unique addresses. Either this indicates a heck of a lot > >>> of sites having at my firewall, or that some few sites are all > >>> spoofing their addresses. I can sort of understand people whaling away > >>> at ports that may conceal gold, from their warped point of view, but I > >>> haven't a clue why so many people would be beating on some apparently > >>> unassigned and unused port. > >>> > >> As you say 48825 is not a known port and too low to be a dynamic port. > >> I suspect it's a command/control port for a botnet - they aren't > >> particular renowned for their elegance and subtlety and so it might be > >> that your IP address (if it's a DSL line) in the past had been > >> compromised and was running a bot controller and all the bot workers on > >> hacked machines are trying to contact their controller to find out > >> what to do. Certainly all the monitoring sites I've looked at see > >> almost zero traffic on that port (zero = less than 10 packets a day). > > > > Nope, I've never had a DSL line. was dialup to a local ISP for some > > years until a cable company that would provide what I wanted (instead of > > insisting on selling me what I didn't want) ran fiber down the street, and > > was willing to sell me a static IP address. right now my memory fails me > > as to exactly when that was, but it may have been as much as 20 years ago, > > certainly at least 15. so I've had that address for long enough that there > > shouldn't be any botnets thinking that I am one of its command/control > > servers. > > > > but the amount of attempted traffic on that port certainly does seem like > > it could be a botnet banging on me. > > > >> Just be thankful that you have a working firewall in place! > >> > You want a perfectly silly... and perfectly believable thought? I've seen > attempts against our outward-facing servers these last 10 years... and > I've seen enough where the idiot script kiddies were so stupid that they > couldn't manage to read the directions enough to at least salt the > autogenerated name. The result was "user@" or a blank where there should > be a name. > > So, I'm wondering if someone botnet got screwed up... and it's going to > the *wrong* address for its command and control. If so, sorry it's hittingand I didn't even mention the huge number of failed attempts on port 25. /var/log/maillog is full of systems trying to send spam, or trying to DOS me with incompleted connection attempts, or just plain spamming with mail for addresses not at this system. The little light on the network switch serving this machine hardly ever stops blinking with all the traffic hitting it. One thing I don't understand is how/why the firewall is DROPping so many attempts on port 25 when it in fact has a port forward rule sending port 25 on to my mailserver. How does it know, or why does it think that some of them can be dropped at the outer barrier?> you, but thank you for taking a hundred thousand or so for all of us.Hey, its the least I can do for all the good guys out there! :) But that doesn't mean the same dratsabs aren't hitting all the rest of you too. Fred -- ---- Fred Smith -- fredex at fcshome.stoneham.ma.us ----------------------------- I can do all things through Christ who strengthens me. ------------------------------ Philippians 4:13 -------------------------------