Can't help with the mystery port 48825. But I find your approach truly creative! -- Kay On 8/1/19 8:53 PM, Fred Smith wrote: > I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :) > > My home router sends its logs to the rsyslog on my desktop system, and > from there I can learn all kinds of interesting (or disturbing) things. > I've written a really horrid shellscript (about 20 things piped together > with a temp file in the middle) to give me the count of DROP events for > specific incoming ports. (The "Description" field is lifted verbatim from > /etc/services.) > > Count Port Description > ----- ---- ----------- > 140750 48825 > 12251 23 telnet 23/tcp > 10043 445 microsoft-ds 445/tcp > 2869 1 tcpmux 1/tcp # TCP port service multiplexer > 2478 9 discard 9/tcp sink null > 2154 8080 webcache 8080/tcp http-alt # WWW caching service > 1990 5060 sip 5060/tcp # SIP > 1592 8089 > 1452 8545 > 1358 3389 ms-wbt-server 3389/tcp # MS WBT Server > 1275 443 https 443/tcp # http protocol over TLS/SSL > 1275 81 > 1258 5000 commplex-main 5000/tcp # > 1244 80 http 80/tcp www www-http # WorldWideWeb HTTP > 1022 8291 > 840 60001 > 834 7547 cwmp 7547/tcp # DSL Forum CWMP > 821 1433 ms-sql-s 1433/tcp # Microsoft-SQL-Server > 809 2323 3d-nfsd 2323/tcp # 3d-nfsd > 764 5555 personal-agent 5555/tcp # Personal Agent > > This is just the first screen of it, there are many more. The data > compiled here is for the last month (rsyslog is keeping the current > log plus four older logs). I find it disturbing that there were 12251 > attempts at telnet during that time, 2154 on 8080, and so forth. either > I'm some kind of special/hot target, or else everybody gets this kind > of crap and may not even know it. > > But the one thing I mean to ask about here is the very first item, > 140,750 attempts at port 48825. What the heck is port 48825? I can't > find any reference to anything that uses it online, but for some reason > it is extremely popular, at least amongst the turkeys trying to break > into my network! > > A little more grepping: > > grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less > > reveals that of all the source addresses trying to poke at 48825, > there are 193 unique addresses. Either this indicates a heck of a lot > of sites having at my firewall, or that some few sites are all spoofing > their addresses. I can sort of understand people whaling away at ports > that may conceal gold, from their warped point of view, but I haven't a > clue why so many people would be beating on some apparently unassigned > and unused port. > > Anyone got any clues? > > Thanks in advance! > > Fred