[Dshield] Ports 27015, 55000, 6881, 7008 and 65534

stu secmail at patchsupplier.dyndns.org
Thu Jan 5 17:57:06 GMT 2006


I've been getting a lot of hits recently on port 4257. Well when I say a
lot of hits I'm getting packets on ports 1028-1033 and 4257 from a few
hosts. Not determined what is causing it yet. 

 

Apologise for HTML

E.g

 

Original Client IP

Source Port

Log Time

Destination IP

Destination Port

Client IP

Transport

61.233.40.206

46571

05/01/2006 13:23

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

41911

05/01/2006 13:10

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

52056

05/01/2006 05:55

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

44435

05/01/2006 05:33

212.57.230.10

1031

61.233.40.206

UDP

61.233.40.206

36527

04/01/2006 22:46

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

36663

04/01/2006 21:29

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

43957

04/01/2006 15:25

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

47738

04/01/2006 14:20

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

43576

04/01/2006 07:49

212.57.230.10

1031

61.233.40.206

UDP

61.233.40.206

43576

04/01/2006 07:49

212.57.230.10

1030

61.233.40.206

UDP

61.233.40.206

43576

04/01/2006 07:49

212.57.230.10

1028

61.233.40.206

UDP

61.233.40.206

44830

04/01/2006 06:35

212.57.230.10

1030

61.233.40.206

UDP

61.233.40.206

44830

04/01/2006 06:35

212.57.230.10

1031

61.233.40.206

UDP

61.233.40.206

44830

04/01/2006 06:35

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

38558

04/01/2006 01:13

212.57.230.10

1032

61.233.40.206

UDP

61.233.40.206

38558

04/01/2006 01:13

212.57.230.10

1031

61.233.40.206

UDP

61.233.40.206

38558

04/01/2006 01:13

212.57.230.10

1030

61.233.40.206

UDP

61.233.40.206

50985

03/01/2006 21:56

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

43139

03/01/2006 17:45

212.57.230.10

4257

61.233.40.206

UDP

61.233.40.206

37686

03/01/2006 14:55

212.57.230.10

1028

61.233.40.206

UDP

61.233.40.206

41350

02/01/2006 23:30

212.57.230.10

1032

61.233.40.206

UDP

61.233.40.206

41350

02/01/2006 23:30

212.57.230.10

1029

61.233.40.206

UDP

61.233.40.206

53629

02/01/2006 15:54

212.57.230.10

1031

61.233.40.206

UDP

 

 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of
TRushing at hollandco.com
Sent: 05 January 2006 17:05
To: General DShield Discussion List
Subject: Re: [Dshield] Ports 27015, 55000, 6881, 7008 and 65534

 

Also of interest is udp port 4257, which appears to be used in
multi-user 

VRML (3-d avatars online).

 

The 70 day chart and data is really interesting:

 

http://isc.sans.org/port_details.php?port=4257&repax=1&tarax=2&srcax=2&p
ercent=N&days=70&Redraw=Submit+Query

 

For most of early November (except for a bit on the 2nd and 3rd (testing


phase?)), tcp packets were the bulk of the hits--over 90% and some days 

100%--and the number of unique targets was in the double or low triple 

digits.

 

Then, starting 16 November, the number of unique targets begins to climb


and the percentage of TCP packets drops to almost nothing.  Since that 

time, the scanning machines have all been less than 100.  TCP percentage


has been 1 or 0 and unique targets have been between 10K and 20K.

 

The 70 day graph is really worth taking a look at.  Be sure to note the 

testing phase in early November.

 

Tim Rushing

 



More information about the list mailing list