[Dshield] What about port 3531?

dcm2002@sbcglobal.net dcm2002 at sbcglobal.net
Fri Aug 1 13:11:32 GMT 2003


I just ran into a strange port scan sequence which follows below. Mostly
I saw a flurry of scans on port 3531 which I did not recognize, nor
could I find out anything on know uses of the port. I took a look at the
70 day scan history on this port at dShield and saw something quite odd.
Prior to 20 June there is about less than 100 reports for any one day.
After 22 June, the number of reports start to grow constantly. Yesterday
there were 18,000+ reports on this port from some 600 or so sources
hitting 50-100 targets. The reports, sources, and targets are all
growing together, but at differing rates.  

I'm running DSL connection via an old SMC Barricade as my "firewall". I
don't have any way to get packet logs, but I do have scan logs out of
"RouterLog". I have a PPPoE assigned IP address that changes at least
once a week, or when I restart my connection. I see a lot of P2P
afterglow, and often just renew my address to get rid of it. This looked
something like P2P afterglow, but its not listed as a P2P port. There
was a series of hits from various sources, then a storm of 100s of hits
in a couple of minutes from one source "194.117.133.10".

Some sort of new game server?? Anyone else ever see this pattern? What's
up???

Anyway, here is the port scan log:

August 01, 2003, 07:22:36 AM - PPPoE start to dial-up
* PADI sent 
* PADO recv 0006 zzzzzzzzz-rback10.hstntx
* PADR sent
* PADS recv 8002 9E29
* PAP3: OK
* IPCP3: IP is 66.140.xxx.yyy
* IPCP3: DNS0 is 151.164.11.201
* IPCP3: DNS1 is 151.164.1.8
August 01, 2003, 07:22:39 AM - Unrecognized access from 216.52.240.10:80
to TCP port 4479
August 01, 2003, 07:22:41 AM - Unrecognized access from
66.66.187.131:3944 to TCP port 4054
August 01, 2003, 07:22:40 AM - Unrecognized access from
69.22.24.106:1118 to TCP port 3752
August 01, 2003, 07:22:42 AM - Unrecognized access from
66.66.187.131:3944 to TCP port 4054
August 01, 2003, 07:22:51 AM - Unrecognized access from
66.66.187.131:3944 to TCP port 4054
August 01, 2003, 07:22:53 AM - Unrecognized access from
69.22.24.106:1118 to TCP port 3752
August 01, 2003, 07:23:17 AM - Unrecognized access from
140.192.174.246:3531 to TCP port 3676
August 01, 2003, 07:23:48 AM - Unrecognized access from
140.192.174.246:3531 to TCP port 3676
August 01, 2003, 07:34:31 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:33 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:33 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:35 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:36 AM - Unrecognized access from
194.117.133.10:59556 to TCP port 3531
August 01, 2003, 07:34:37 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:39 AM - Unrecognized access from
194.117.133.10:59556 to TCP port 3531
August 01, 2003, 07:34:39 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:40 AM - Unrecognized access from
68.224.29.251:3531 to UDP port 3531
August 01, 2003, 07:34:42 AM - Unrecognized access from
68.224.29.251:3531 to UDP port 3531
August 01, 2003, 07:34:42 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:42 AM - Unrecognized access from
68.224.29.251:3531 to UDP port 3531
August 01, 2003, 07:34:44 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:44 AM - Unrecognized access from
68.224.29.251:3531 to UDP port 3531
August 01, 2003, 07:34:45 AM - Unrecognized access from
194.117.133.10:59556 to TCP port 3531
August 01, 2003, 07:34:45 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:47 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:48 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:52 AM - Unrecognized access from
68.224.29.251:1834 to TCP port 3531
August 01, 2003, 07:34:55 AM - Unrecognized access from
82.43.123.138:3531 to UDP port 3531
August 01, 2003, 07:34:56 AM - Unrecognized access from
68.224.29.251:1842 to TCP port 3531
August 01, 2003, 07:35:00 AM - Unrecognized access from
68.224.29.251:1842 to TCP port 3531
August 01, 2003, 07:35:06 AM - Unrecognized access from
194.117.133.10:33353 to TCP port 3531
August 01, 2003, 07:35:09 AM - Unrecognized access from
194.117.133.10:33353 to TCP port 3531
August 01, 2003, 07:35:11 AM - Unrecognized access from
68.224.29.251:1834 to TCP port 3531
August 01, 2003, 07:35:15 AM - Unrecognized access from
194.117.133.10:33353 to TCP port 3531
August 01, 2003, 07:35:17 AM - Unrecognized access from
68.224.29.251:1842 to TCP port 3531
August 01, 2003, 07:35:27 AM - Unrecognized access from
194.117.133.10:33353 to TCP port 3531
August 01, 2003, 07:35:30 AM - Unrecognized access from
68.224.29.251:1889 to TCP port 3531
August 01, 2003, 07:35:33 AM - Unrecognized access from
68.224.29.251:1904 to TCP port 3531
August 01, 2003, 07:35:33 AM - Unrecognized access from
68.224.29.251:1889 to TCP port 3531
August 01, 2003, 07:35:36 AM - Unrecognized access from
68.224.29.251:1904 to TCP port 3531
August 01, 2003, 07:35:37 AM - Unrecognized access from
194.117.133.10:35282 to TCP port 3531
August 01, 2003, 07:35:39 AM - Unrecognized access from
68.224.29.251:1889 to TCP port 3531
August 01, 2003, 07:35:40 AM - Unrecognized access from
194.117.133.10:35282 to TCP port 3531
August 01, 2003, 07:35:42 AM - Unrecognized access from
68.224.29.251:1904 to TCP port 3531
August 01, 2003, 07:35:46 AM - Unrecognized access from
194.117.133.10:35282 to TCP port 3531
August 01, 2003, 07:35:58 AM - Unrecognized access from
194.117.133.10:35282 to TCP port 3531
August 01, 2003, 07:36:08 AM - Unrecognized access from
194.117.133.10:37062 to TCP port 3531
August 01, 2003, 07:36:11 AM - Unrecognized access from
194.117.133.10:37062 to TCP port 3531
August 01, 2003, 07:36:17 AM - Unrecognized access from
194.117.133.10:37062 to TCP port 3531
August 01, 2003, 07:36:29 AM - Unrecognized access from
194.117.133.10:37062 to TCP port 3531
August 01, 2003, 07:36:39 AM - Unrecognized access from
194.117.133.10:38989 to TCP port 3531
August 01, 2003, 07:36:42 AM - Unrecognized access from
194.117.133.10:38989 to TCP port 3531
August 01, 2003, 07:36:48 AM - Unrecognized access from
194.117.133.10:38989 to TCP port 3531
August 01, 2003, 07:36:49 AM - Unrecognized access from
194.117.133.10:39670 to TCP port 3531
August 01, 2003, 07:36:51 AM - Unrecognized access from
211.130.63.86:8302 to UDP port 137
August 01, 2003, 07:36:52 AM - Unrecognized access from
194.117.133.10:39670 to TCP port 3531
August 01, 2003, 07:36:58 AM - Unrecognized access from
194.117.133.10:39670 to TCP port 3531
[deleted near duplicate lines with lots of hits every few seconds from
the same IP, various source ports.]
August 01, 2003, 07:40:22 AM - Unrecognized access from
194.117.133.10:53281 to TCP port 3531
August 01, 2003, 07:40:25 AM - Unrecognized access from
194.117.133.10:53281 to TCP port 3531
August 01, 2003, 07:40:26 AM - Unrecognized access from
194.117.133.10:52209 to TCP port 3531
August 01, 2003, 07:40:32 AM - Unrecognized access from
194.117.133.10:53281 to TCP port 3531
August 01, 2003, 07:40:33 AM - Unrecognized access from
194.117.133.10:52662 to TCP port 3531
August 01, 2003, 07:40:36 AM - Unrecognized access from
194.117.133.10:54199 to TCP port 3531
August 01, 2003, 07:40:39 AM - Unrecognized access from
194.117.133.10:54199 to TCP port 3531
August 01, 2003, 07:40:44 AM - Unrecognized access from
194.117.133.10:53281 to TCP port 3531
August 01, 2003, 07:40:45 AM - Unrecognized access from
194.117.133.10:54199 to TCP port 3531
August 01, 2003, 07:40:57 AM - Unrecognized access from
194.117.133.10:54199 to TCP port 3531
August 01, 2003, 07:42:48 AM - Unrecognized access from
218.88.233.123:3258 to TCP port 139
August 01, 2003, 07:42:50 AM - Unrecognized access from
218.88.233.123:3258 to TCP port 139
August 01, 2003, 07:42:56 AM - Unrecognized access from
218.88.233.123:3258 to TCP port 139
August 01, 2003, 07:44:01 AM - Unrecognized access from
218.88.233.123:3549 to TCP port 139
August 01, 2003, 07:44:04 AM - Unrecognized access from
218.88.233.123:3549 to TCP port 139
August 01, 2003, 07:44:10 AM - Unrecognized access from
218.88.233.123:3549 to TCP port 139


Any guesses


David Mehl
Houston TX  USA
dcm2002 AT sbcglobal DOT net 




More information about the list mailing list