[Dshield] Scans on ports 49147 and 49148
peter at intelligentorgs.com
Fri Mar 1 17:50:08 GMT 2002
At 12:04 01/03/2002 -0500, Clint Byrum wrote:
>Subject: Re: [Dshield] Scans on ports 49147 and 49148
>From: Clint Byrum <cbyrum at erp.com>
>To: list at dshield.org
>Date: 28 Feb 2002 16:00:05 -0800
>On Thu, 2002-02-28 at 13:57, Stigers, David wrote:
> > I've seen this attempt on our firewall today and do not see the neo ports
> > listing for this port. If someone knows what this is I'd appreciate the
> > info.
>Searched my logs for the last 2 months. Nothing to those ports.
> > 02/28/02 07:46 firewalld: deny in eth0 40 tcp 20 112 172.26.137.8
> > 66.147.xxx.xx 9009 49148 rst (blocked site)
> > 02/28/02 07:46 firewalld: deny in eth0 40 tcp 20 112 172.26.137.10
> > 66.147.xxx.xx 9009 49147 rst (blocked site)
>Does that 9009 mean its from port 9009? I'm not familiar with
>that log format.
Yes it does, Clint. That's the log-file format coming off a WatchGuard Firebox.
David, as you know, the FireBox will auto-deny unknown ports, - and has done
in this case, so you're safe it would appear from that IP (in Canada).
Johannes, interestingly, my own Firebox reported a hit on 19th Feb *from*
port 49148 to SMTP on my spammertrap server. That could reinforce your
muse about Nimda reincarnating via the infected machines still out there
Here's the FireBox log-line concerned, from an IP in Pakistan:
29176 19725098 02/19/02 21:56:40 n
allow in eth0:9 48 tcp 20 52 126.96.36.199
x.y.143.17 49148 25 syn
In this case the FireBox Log-Format has had two fields prepended by
AgentRansack to show lineNo and Displacement, and is:
lineno displacement date time n* allow/deny/log direction interface
packetLength TTL Protocol IPheaderLength source destination SourcePort
* = can't remember what this is. Ahem.
Interestingly, SpamCop has the sourceIP as an "issue resolved"
status, meaning that they have been bad boys in the past re spam I guess.
SpamCop reports thusly (after a long time thinking about it):
ISP believes this issue is resolved 188.8.131.52
ISP believes this issue is resolved:184.108.40.206 - no date available
Tracking ip 220.127.116.11:
[show] "nslookup 18.104.22.168" (getting name) no name
Routing details for 22.214.171.124
[refresh/show] Cached whois for 126.96.36.199:eng at cyber.net.pk,
amir at cyber.net.pk
Using last-resort contacts:amir at cyber.net.pk eng at cyber.net.pk
Whois found:amir at cyber.net.pk eng at cyber.net.pk
However.. traceroute to that IP gives a munged route hopping to and fro between
routers in above.net. Hmmm.... They're still out there, methinks!
Which reminds me. I promised to send Wayne some scripts I wrote in awk to
FireBox format to dShield format. Will get to that today, I hope - up to my
fighting off an attack at the moment. Sigh.
Take care out there
Peter Feltham, CEO of Intelligent Organisations.
Tel: +44 208 357 7355 Fax: +44 7050 697 405
Private Fax: +44 7050 694 038
A member of Rheingold Associates
Join the Brainstorms Anthrax Research team by visiting:
More information about the list