[Dshield] Scans on ports 49147 and 49148

Peter Feltham peter at intelligentorgs.com
Fri Mar 1 17:50:08 GMT 2002

At 12:04 01/03/2002 -0500, Clint Byrum wrote:
>Message: 5
>Subject: Re: [Dshield] Scans on ports 49147 and 49148
>From: Clint Byrum <cbyrum at erp.com>
>To: list at dshield.org
>Date: 28 Feb 2002 16:00:05 -0800
>On Thu, 2002-02-28 at 13:57, Stigers, David wrote:
> > I've seen this attempt on our firewall today and do not see the neo ports
> > listing for this port. If someone knows what this is I'd appreciate the
> > info.
>Searched my logs for the last 2 months. Nothing to those ports.
> >
> > 02/28/02 07:46  firewalld[105]:  deny in eth0 40 tcp 20 112
> > 66.147.xxx.xx 9009 49148 rst (blocked site)
> > 02/28/02 07:46  firewalld[105]:  deny in eth0 40 tcp 20 112
> > 66.147.xxx.xx 9009 49147 rst (blocked site)
> >


>Does that 9009 mean its from port 9009? I'm not familiar with
>that log format.

Yes it does, Clint. That's the log-file format coming off a WatchGuard Firebox.

David, as you know, the FireBox will auto-deny unknown ports, - and has done
in this case, so you're safe it would appear from that IP (in Canada).

Johannes, interestingly, my own Firebox reported a hit on 19th Feb *from*
port 49148 to SMTP on my spammertrap server. That could reinforce your
muse about Nimda reincarnating via the infected machines still out there

Here's the FireBox log-line concerned, from an IP in Pakistan:
29176   19725098 02/19/02  21:56:40 n 
allow  in   eth0:9  48        tcp     20        52 
x.y.143.17   49148     25        syn 

In this case the FireBox Log-Format has had two fields prepended by 
AgentRansack to show lineNo and Displacement, and is:
lineno displacement date time  n* allow/deny/log direction interface 
packetLength TTL Protocol IPheaderLength source destination SourcePort 
DestPort OtherDetails

* = can't remember what this is. Ahem.

Interestingly, SpamCop has the sourceIP as an "issue resolved" 
status,  meaning that they have been bad boys in the past re spam I guess. 
SpamCop reports thusly (after a long time thinking about it):

Parsing input:
[report history]
ISP believes this issue is resolved
ISP believes this issue is resolved: - no date available
Tracking ip
[show] "nslookup" (getting name) no name
Routing details for
[refresh/show] Cached whois for at cyber.net.pk, 
amir at cyber.net.pk
Using last-resort contacts:amir at cyber.net.pk eng at cyber.net.pk
Whois found:amir at cyber.net.pk eng at cyber.net.pk

However.. traceroute to that IP gives a munged route hopping to and fro between
routers in above.net. Hmmm.... They're still out there, methinks!

Which reminds me. I promised to send Wayne some scripts I wrote in awk to 
FireBox format to dShield format. Will get to that today, I hope - up to my 
ears in
fighting off an attack at the moment. Sigh.

Take care out there


Peter Feltham, CEO of Intelligent Organisations.

Tel: +44 208 357 7355           Fax: +44 7050 697 405
                         Private  Fax: +44 7050 694 038
A member of Rheingold Associates
Join the Brainstorms Anthrax Research team by visiting:

More information about the list mailing list