I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :)
My home router sends its logs to the rsyslog on my desktop system, and
from there I can learn all kinds of interesting (or disturbing) things.
I've written a really horrid shellscript (about 20 things piped together
with a temp file in the middle) to give me the count of DROP events for
specific incoming ports. (The "Description" field is lifted verbatim from
/etc/services.)
Count Port Description
----- ---- -----------
140750 48825
12251 23 telnet 23/tcp
10043 445 microsoft-ds 445/tcp
2869 1 tcpmux 1/tcp # TCP port service multiplexer
2478 9 discard 9/tcp sink null
2154 8080 webcache 8080/tcp http-alt # WWW caching service
1990 5060 sip 5060/tcp # SIP
1592 8089
1452 8545
1358 3389 ms-wbt-server 3389/tcp # MS WBT Server
1275 443 https 443/tcp # http protocol over TLS/SSL
1275 81
1258 5000 commplex-main 5000/tcp #
1244 80 http 80/tcp www www-http # WorldWideWeb HTTP
1022 8291
840 60001
834 7547 cwmp 7547/tcp # DSL Forum CWMP
821 1433 ms-sql-s 1433/tcp # Microsoft-SQL-Server
809 2323 3d-nfsd 2323/tcp # 3d-nfsd
764 5555 personal-agent 5555/tcp # Personal Agent
This is just the first screen of it, there are many more. The data
compiled here is for the last month (rsyslog is keeping the current
log plus four older logs). I find it disturbing that there were 12251
attempts at telnet during that time, 2154 on 8080, and so forth. either
I'm some kind of special/hot target, or else everybody gets this kind
of crap and may not even know it.
But the one thing I mean to ask about here is the very first item,
140,750 attempts at port 48825. What the heck is port 48825? I can't
find any reference to anything that uses it online, but for some reason
it is extremely popular, at least amongst the turkeys trying to break
into my network!
A little more grepping:
grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less
reveals that of all the source addresses trying to poke at 48825,
there are 193 unique addresses. Either this indicates a heck of a lot
of sites having at my firewall, or that some few sites are all spoofing
their addresses. I can sort of understand people whaling away at ports
that may conceal gold, from their warped point of view, but I haven't a
clue why so many people would be beating on some apparently unassigned
and unused port.
Anyone got any clues?
Thanks in advance!
Fred
--
-------------------------------------------------------------------------------
.---- Fred Smith /
( /__ ,__. __ __ / __ : /
/ / / /__) / / /__) .+' Home: fredex@xxxxxxxxxxxxxxxxxxxxxx
/ / (__ (___ (__(_ (___ / :__ 781-438-5471
-------------------------------- Jude 1:24,25 ---------------------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
