[Dshield] more on port 21826

Jon R. Kibler Jon.Kibler at aset.com
Thu Oct 9 16:34:27 GMT 2003


Greetings:

Several weeks ago, I posted a question about traffic from what appeared to be a forged IP addresses to a single unallocated IP address in our netblock. The packets always originated from port 44429 and were always targeted to port 21826. At that time, all of the packets originated from a single IP address (33.82.212.156) that we were told was a US DoD address that does not have Internet access.

Recently, the pattern has changed (also, see below).
   1) There are now multiple IP addresses all sending to port 21826 on this SAME unallocated IP address.
   2) The majority of the sending IP addresses still claim to be sending from port 44429, but several of the addresses now seem to be originating from different ports.

A couple of other tid-bits... Checking logs as far back as May, we find:
   1) Every log entry that originated from port 44429 was targeted to port 21826.
   2) Every log entry that targeted port 21826 was to the same target IP address.
   3) These 'spoofed packets' predate our owning this netblock (they were among the first packets logged when we acquired this netblock early this year).

Anyone have any new ideas what may be going on here?

TIA for your thoughts!

Sincerely,
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214


> Examples of packets that originate from port 44428 to port 21826 on single IP:
> Oct  1 09:53:55 list 110 denied tcp 12.251.107.193(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  8 09:57:19 list 110 denied tcp 148.243.165.195(44429) -> 63.113.59.xx(21826), 1 packet
> Sep 30 08:51:04 list 110 denied tcp 193.212.67.241(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  8 06:21:45 list 110 denied tcp 207.219.94.68(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  4 04:37:41 list 110 denied tcp 210.135.158.201(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  8 05:07:05 list 110 denied tcp 210.22.118.19(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  8 20:27:07 list 110 denied tcp 24.88.169.84(44429) -> 63.113.59.xx(21826), 1 packet
> Sep 28 03:22:29 list 110 denied tcp 33.82.212.156(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  5 07:10:59 list 110 denied tcp 61.205.238.21(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  7 16:39:21 list 110 denied tcp 68.153.205.32(44429) -> 63.113.59.xx(21826), 1 packet
> Oct  8 14:04:01 list 110 denied tcp 69.14.14.98(44429) -> 63.113.59.xx(21826), 1 packet
> 
> Examples of packets that originate from other ports to port 21826 on single IP:
> Oct  2 19:05:55 list 110 denied tcp 202.103.222.254(1487) -> 63.113.59.xx(21826), 1 packet
> Oct  9 02:05:59 list 110 denied tcp 206.71.120.78(2280) -> 63.113.59.xx(21826), 1 packet
> Sep 29 02:03:28 list 110 denied tcp 206.71.120.78(2784) -> 63.113.59.xx(21826), 1 packet
> Oct  4 17:02:34 list 110 denied tcp 211.243.102.59(2050) -> 63.113.59.xx(21826), 1 packet
> Sep 29 18:24:45 list 110 denied tcp 212.19.146.112(2954) -> 63.113.59.xx(21826), 1 packet
> Oct  4 02:56:31 list 110 denied tcp 212.204.50.35(2426) -> 63.113.59.xx(21826), 1 packet
> Oct  5 21:01:25 list 110 denied tcp 24.85.203.222(2755) -> 63.113.59.xx(21826), 1 packet
> Oct  1 03:30:13 list 110 denied tcp 61.42.229.25(1310) -> 63.113.59.xx(21826), 1 packet
> Sep 28 21:30:09 list 110 denied tcp 61.42.229.25(1519) -> 63.113.59.xx(21826), 1 packet
> Sep 30 01:05:41 list 110 denied tcp 61.51.105.148(25992) -> 63.113.59.xx(21826), 1 packet
> Oct  1 22:54:02 list 110 denied tcp 61.56.240.10(62306) -> 63.113.59.xx(21826), 1 packet
> 
> 
> Counts over last few days of these packets by source IP:
>  337 33.82.212.156
>    5 12.251.107.193
>    2 68.153.205.32
>    2 61.42.229.25
>    2 206.71.120.78
>    1 69.14.14.98
>    1 61.56.240.10
>    1 61.51.105.148
>    1 61.205.238.21
>    1 24.88.169.84
>    1 24.85.203.222
>    1 212.204.50.35
>    1 212.19.146.112
>    1 211.243.102.59
>    1 210.22.118.19
>    1 210.135.158.201
>    1 207.219.94.68
>    1 202.103.222.254
>    1 193.212.67.241
>    1 148.243.165.195
> 
> 
> Counts by port and source IP:
>   337  44429 33.82.212.156
>     5  44429 12.251.107.193
>     2  44429 68.153.205.32
>     1  44429 69.14.14.98
>     1  44429 61.205.238.21
>     1  44429 24.88.169.84
>     1  44429 210.22.118.19
>     1  44429 210.135.158.201
>     1  44429 207.219.94.68
>     1  44429 193.212.67.241
>     1  44429 148.243.165.195
>     1  62306 61.56.240.10
>     1  25992 61.51.105.148
>     1   2954 212.19.146.112
>     1   2784 206.71.120.78
>     1   2280 206.71.120.78
>     1   2755 24.85.203.222
>     1   2426 212.204.50.35
>     1   2050 211.243.102.59
>     1   1519 61.42.229.25
>     1   1310 61.42.229.25
>     1   1487 202.103.222.254




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list