| View previous topic :: View next topic |
| Author |
Message |
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
 Posted: Thu Aug 24, 2006 9:22 am Post subject: Big number of hits onto UDP port 25122 |
 |
|
Hi.
Just out of curiosity, these are the top 10 ports that were hit during one week on one of our gateways:
| Code: | # egrep -o DPT=[[:digit:]]+ /var/log/messages | sort | uniq -c | sort -r | sed s/DPT=// | head -10
1583 25122
118 1220
88 1606
65 1584
38 19037
33 1723
31 45697
22 62421
18 41367
18 1024 |
Is there anything special about port 25122? I found nothing on Google about it... Potential spyware/trojan inside? A man-in-the-middle threat?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
 |
wynn
Advocate
Joined: 01 Apr 2005
Posts: 2421
Location: UK
|
| Posted: Thu Aug 24, 2006 10:24 am Post subject: |
|
|
If you go to Dshield's Port Report and type 25122 into the "Port Report" box, you will see what they have on it. It doesn't seem very much by comparison with their TopTen.
You might also like to consider sending your logs to them â see http://dshield.org/ for details: | Quote: | | If you use a firewall, please submit your logs to the DShield database. You may either download one of our ready to go client programs, write your own, or use our Web Interface to manually submit your firewall logs. Registration is encouraged, but is not required. |
_________________
The avatar is jorma, a "duck" from "Elephants Dream": the film and all the production materials have been made available under a Creative Commons Attribution 2.5 License, see orange.blender.org for details. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Thu Aug 24, 2006 11:39 am Post subject: |
|
|
There seems to be nothing about that port. Says this is... background noise (aka "I don't know what it is yet")  .
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
wynn
Advocate
Joined: 01 Apr 2005
Posts: 2421
Location: UK
|
| Posted: Thu Aug 24, 2006 3:34 pm Post subject: |
|
|
| Quote: | | Says this is... background noise (aka "I don't know what it is yet") |
Seems reasonable: reports varying between 10 and 50 a day with at most 20 sources doesn't sound serious, does it? Perhaps submitting your logs will change that 
If you had the time, I suppose you could look at the spread of source and destination addresses.
Perhaps you could save the logs for when you retire? 
_________________
The avatar is jorma, a "duck" from "Elephants Dream": the film and all the production materials have been made available under a Creative Commons Attribution 2.5 License, see orange.blender.org for details. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Thu Aug 24, 2006 5:53 pm Post subject: |
|
|
| wynn wrote: | | Perhaps you could save the logs for when you retire? |
rotfl
EDIT: Indeed I took a look to the spread between source addresses. They rate approx. 20-30 hits each at most. Nothing worth a nightmare, IMHO.
EDIT: Note a clever attacker would also like to disguise by flooding a dummy port with false packets like this and actually target a less significant port. Since network admins pay most attention to the top-rated, targeted ports they care less of those which are lower in the stats. So if a true hole lies a bit lower in the stats, chances are it doesn't catch such an attention... Or maybe I'm just getting paranoïd ...
Just my 2 (euro) cents.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
|
Networking & Security
