[Current] Port 2605 from few IPs

Jonathan C. Webster jwebster03 at snet.net
Mon Jun 14 21:04:43 UTC 2004


Hello,
Are other folks seeing a lot of probes to port 2605 from only a few hosts?
In the following ds13.log and ds14.log are my firewall logs in DSHIELD format from yesterday and so 
far today.

Probe signature today
[jcw at themis security]$ cut -f7 ds14.log | sort -n | uniq -c | gawk '$1 > 2'
      58 137
      18 1026
       4 1027
       3 1434
     360 2605
      11 5000
      30 5554
      13 9898

 From these source IP
[jcw at themis security]$ cut -f4,7 ds14.log | sort -n | uniq -c | gawk '$3 == 2605'
     171 12.179.65.169   2605
      31 65.4.149.252    2605
       2 65.4.152.56     2605
      10 80.48.31.29     2605
     146 213.165.182.133 2605
[jcw at themis security]$ date
Mon Jun 14 16:52:49 EDT 2004

Sources yesterday
[jcw at themis security]$ cut -f4,7 ds13.log | sort -n | uniq -c | gawk '$3 == 2605'
      45 12.179.65.169   2605
       3 65.4.149.252    2605
       2 65.4.152.56     2605
     145 80.48.31.29     2605
[jcw at themis security]$

Curious, is it not?
Jonathan



More information about the Current mailing list