[Current] Port 2605 from few IPs
Jonathan C. Webster
jwebster03 at snet.net
Mon Jun 14 21:04:43 UTC 2004
Hello,
Are other folks seeing a lot of probes to port 2605 from only a few hosts?
In the following ds13.log and ds14.log are my firewall logs in DSHIELD format from yesterday and so
far today.
Probe signature today
[jcw at themis security]$ cut -f7 ds14.log | sort -n | uniq -c | gawk '$1 > 2'
58 137
18 1026
4 1027
3 1434
360 2605
11 5000
30 5554
13 9898
From these source IP
[jcw at themis security]$ cut -f4,7 ds14.log | sort -n | uniq -c | gawk '$3 == 2605'
171 12.179.65.169 2605
31 65.4.149.252 2605
2 65.4.152.56 2605
10 80.48.31.29 2605
146 213.165.182.133 2605
[jcw at themis security]$ date
Mon Jun 14 16:52:49 EDT 2004
Sources yesterday
[jcw at themis security]$ cut -f4,7 ds13.log | sort -n | uniq -c | gawk '$3 == 2605'
45 12.179.65.169 2605
3 65.4.149.252 2605
2 65.4.152.56 2605
145 80.48.31.29 2605
[jcw at themis security]$
Curious, is it not?
Jonathan
More information about the Current
mailing list