[Dshield] tcp 18905 increase

TRushing@hollandco.com TRushing at hollandco.com
Mon Mar 14 20:06:52 GMT 2005


I just saw a scan across my small subnet for tcp port 18905.  That struck 
me as an odd port, so I checked out the dshield info for that port 
(http://www.dshield.org/port_report.php?port=18905&recax=1&tarax=2&srcax=2&percent=N&days=40&Redraw=) 
and it shows a rather large increase starting over the weekend:

2005-03-14 10    3208   4157 
2005-03-13  8   20060  23442 
2005-03-12 11    1703   4564 
2005-03-11 13      12     28 
2005-03-10 12      12     35 

It does not appear to be a worm because the source of the scans is not 
changing, but the targets definitely seem to be up.  Someone checking 
penetration for a new exploit?  I've not been able to find a use for tcp 
port 18905.

Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9760 DF 
PROTO=TCP SPT=2153 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9763 DF 
PROTO=TCP SPT=2156 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.74 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9770 DF 
PROTO=TCP SPT=2163 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.75 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9774 DF 
PROTO=TCP SPT=2167 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9834 DF 
PROTO=TCP SPT=2176 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.77 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9840 DF 
PROTO=TCP SPT=2182 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9847 DF 
PROTO=TCP SPT=2190 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:16 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=9853 DF 
PROTO=TCP SPT=2198 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.75 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12529 
DF PROTO=TCP SPT=2167 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.74 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12531 
DF PROTO=TCP SPT=2163 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12568 
DF PROTO=TCP SPT=2153 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.73 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12559 
DF PROTO=TCP SPT=2156 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12636 
DF PROTO=TCP SPT=2190 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12667 
DF PROTO=TCP SPT=2198 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.77 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12668 
DF PROTO=TCP SPT=2182 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 
Mar 14 13:47:19 host kernel: IPT syn ppp0 IN=ppp0 OUT= MAC= 
SRC=64.151.80.68 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=12650 
DF PROTO=TCP SPT=2176 DPT=18905 WINDOW=65535 RES=0x00 SYN URGP=0 





More information about the list mailing list