[Dshield] 4051/tcp

jayjwa jayjwa at atr2.ath.cx
Mon Jun 27 10:43:46 GMT 2005


I've been seeing alot of SYN packets to port 4051 lately. In fact, other 
than Qwest's on-going virus barrage (since June 7th) on 25 and the 
usual 445 stuff, it's the number one port getting attention in the 
firewall logs. The source ports are mid-high range and vary. A few (2-3) 
of the hosts I recognise. Sorted & uniq'ed, here's last night's hosts:

172.140.211.248
172.142.243.235
172.158.148.66
206.190.36.217
24.92.126.176
64.160.164.123
64.179.117.25
64.179.12.92
64.179.46.166
64.179.7.64
64.34.164.5
66.216.94.79
66.35.250.225
66.63.86.62
68.166.180.38
68.253.184.180
68.68.24.54
69.165.22.136
71.107.111.252
83.29.7.55
84.69.29.77

Of those, some had their 4051 filtered, some closed, and one was open. The 
open one wouldn't return any traffic when connected to. There didn't seem 
to be much on Google about it, just a few things about broken ftp 
connections which I doubt this is. Also a few mentions of a chat system 
I've never heard of. Has anyone seen activity on this port and might 
know what is going to & fro?


-- 
Confidentiality Notice: This email may contain confidential
and privileged information. If in the event that it does,
please send it back to me with a reply telling me how
stupid I am for sending confidential info to a public forum.


More information about the list mailing list