[Dshield] Ports 27015, 55000, 6881, 7008 and 65534

TRushing@hollandco.com TRushing at hollandco.com
Thu Jan 5 17:04:34 GMT 2006

Also of interest is udp port 4257, which appears to be used in multi-user 
VRML (3-d avatars online).

The 70 day chart and data is really interesting:


For most of early November (except for a bit on the 2nd and 3rd (testing 
phase?)), tcp packets were the bulk of the hits--over 90% and some days 
100%--and the number of unique targets was in the double or low triple 

Then, starting 16 November, the number of unique targets begins to climb 
and the percentage of TCP packets drops to almost nothing.  Since that 
time, the scanning machines have all been less than 100.  TCP percentage 
has been 1 or 0 and unique targets have been between 10K and 20K.

The 70 day graph is really worth taking a look at.  Be sure to note the 
testing phase in early November.

Tim Rushing

"Jon R. Kibler" <Jon.Kibler at aset.com> 
Sent by: list-bounces at lists.dshield.org
01/05/2006 10:35 AM
Please respond to
General DShield Discussion List <list at lists.dshield.org>

list at lists.dshield.org

[Dshield] Ports 27015, 55000, 6881, 7008 and 65534


A curiosity question... if you are reporting to DShield hits on any of the 
following ports: 

                 halflife        27015
                 (unknown)       55000
                 bittorrent      6881
                 afs3-update     7008
                 sbininitd       65534

It would be real informative to everyone to know exactly what is going on. 
For the past couple of days, these ports have been among the top 10 ports 
(and for months, bittorrent has been in that group). However, unlike most 
ports where there are a large number of sources and and even larger number 
of targets, for these ports there are a modest number of sources and a 
trivial (< 50 most days) number of targets. 

So if you are among the couple of dozen sites reporting getting whacked on 
these ports, can you please answer these questions?
                 Are these ports under attack -- DDoS?
                 If not, why are you attracting so much bogus traffic to 
these ports?

Intuition tells me that this must indicate some sort of attack... and I 
would like to know if I am right or not.

Thanks for your reply!

Jon Kibler
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

Learn about Intrusion Detection in Depth from the comfort of your own 

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: 

More information about the list mailing list