[CentOS] [OT] odd network question
Kay Schenk
kay.schenk at gmail.com
Sat Aug 3 15:36:42 UTC 2019
Can't help with the mystery port 48825. But I find your approach truly
creative!
-- Kay
On 8/1/19 8:53 PM, Fred Smith wrote:
> I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :)
>
> My home router sends its logs to the rsyslog on my desktop system, and
> from there I can learn all kinds of interesting (or disturbing) things.
> I've written a really horrid shellscript (about 20 things piped together
> with a temp file in the middle) to give me the count of DROP events for
> specific incoming ports. (The "Description" field is lifted verbatim from
> /etc/services.)
>
> Count Port Description
> ----- ---- -----------
> 140750 48825
> 12251 23 telnet 23/tcp
> 10043 445 microsoft-ds 445/tcp
> 2869 1 tcpmux 1/tcp # TCP port service multiplexer
> 2478 9 discard 9/tcp sink null
> 2154 8080 webcache 8080/tcp http-alt # WWW caching service
> 1990 5060 sip 5060/tcp # SIP
> 1592 8089
> 1452 8545
> 1358 3389 ms-wbt-server 3389/tcp # MS WBT Server
> 1275 443 https 443/tcp # http protocol over TLS/SSL
> 1275 81
> 1258 5000 commplex-main 5000/tcp #
> 1244 80 http 80/tcp www www-http # WorldWideWeb HTTP
> 1022 8291
> 840 60001
> 834 7547 cwmp 7547/tcp # DSL Forum CWMP
> 821 1433 ms-sql-s 1433/tcp # Microsoft-SQL-Server
> 809 2323 3d-nfsd 2323/tcp # 3d-nfsd
> 764 5555 personal-agent 5555/tcp # Personal Agent
>
> This is just the first screen of it, there are many more. The data
> compiled here is for the last month (rsyslog is keeping the current
> log plus four older logs). I find it disturbing that there were 12251
> attempts at telnet during that time, 2154 on 8080, and so forth. either
> I'm some kind of special/hot target, or else everybody gets this kind
> of crap and may not even know it.
>
> But the one thing I mean to ask about here is the very first item,
> 140,750 attempts at port 48825. What the heck is port 48825? I can't
> find any reference to anything that uses it online, but for some reason
> it is extremely popular, at least amongst the turkeys trying to break
> into my network!
>
> A little more grepping:
>
> grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less
>
> reveals that of all the source addresses trying to poke at 48825,
> there are 193 unique addresses. Either this indicates a heck of a lot
> of sites having at my firewall, or that some few sites are all spoofing
> their addresses. I can sort of understand people whaling away at ports
> that may conceal gold, from their warped point of view, but I haven't a
> clue why so many people would be beating on some apparently unassigned
> and unused port.
>
> Anyone got any clues?
>
> Thanks in advance!
>
> Fred
More information about the CentOS
mailing list