[Dshield] port 554 activity

Bjorn Stromberg bjorn at thechemistrylab.com
Tue Oct 28 16:52:32 GMT 2003


Some time last night we started getting hit with scans from all over the
world for port 554.

I don't have a packet capture yet as it started at almost exactly 8pm and
continued unabated until almost exactly 7am this morning.

I'm suspecting my ISP has blocked traffic on this port and that is why I'm
not seeing any more traffic. They blocked port 135 within about 10 minutes
of the exploit being known. They also blocked nachi pings as well so it
would be in character for my ISP to do this.

I have only seen 3 scans on port 554 previously, dated: 09.07.2003,
10.25.2003 and 10.26.2003

Anyone else seeing scans on 554?

Here's a taste of my logs:

2003-10-28 11:35:45 210.0.184.171 204.181.54.194 Tcp 2257 554 SYN
2003-10-28 11:35:45 210.0.184.171 204.181.54.195 Tcp 2259 554 SYN
2003-10-28 11:35:45 210.0.184.171 204.181.54.196 Tcp 2261 554 SYN
2003-10-28 11:35:45 210.0.184.171 204.181.54.197 Tcp 2263 554 SYN
2003-10-28 11:35:45 210.0.184.171 204.181.54.198 Tcp 2266 554 SYN
2003-10-28 11:40:59 210.243.129.209 204.181.54.194 Tcp 1163 554 SYN
2003-10-28 11:40:59 210.243.129.209 204.181.54.195 Tcp 1164 554 SYN
2003-10-28 11:40:59 210.243.129.209 204.181.54.196 Tcp 1165 554 SYN
2003-10-28 11:40:59 210.243.129.209 204.181.54.197 Tcp 1166 554 SYN
2003-10-28 11:40:59 210.243.129.209 204.181.54.198 Tcp 1167 554 SYN
2003-10-28 11:41:52 61.74.94.186 204.181.54.194 Tcp 2607 554
2003-10-28 11:41:52 61.74.94.186 204.181.54.196 Tcp 2609 554
2003-10-28 11:41:52 61.74.94.186 204.181.54.195 Tcp 2608 554
2003-10-28 11:41:53 61.74.94.186 204.181.54.198 Tcp 2611 554
2003-10-28 11:41:53 61.74.94.186 204.181.54.197 Tcp 2610 554
2003-10-28 11:46:25 211.214.198.189 204.181.54.194 Tcp 1626 554 SYN
2003-10-28 11:46:25 211.214.198.189 204.181.54.195 Tcp 1627 554 SYN
2003-10-28 11:46:25 211.214.198.189 204.181.54.196 Tcp 1628 554 SYN
2003-10-28 11:46:25 211.214.198.189 204.181.54.197 Tcp 1629 554 SYN
2003-10-28 11:46:25 211.214.198.189 204.181.54.198 Tcp 1630 554 SYN
2003-10-28 11:48:57 221.189.180.100 204.181.54.194 Tcp 1395 554 SYN
2003-10-28 11:48:57 221.189.180.100 204.181.54.195 Tcp 1396 554 SYN
2003-10-28 11:48:57 221.189.180.100 204.181.54.196 Tcp 1397 554 SYN
2003-10-28 11:48:57 221.189.180.100 204.181.54.197 Tcp 1398 554 SYN
2003-10-28 11:48:57 221.189.180.100 204.181.54.198 Tcp 1399 554 SYN


Bjorn Stromberg




More information about the list mailing list