[CentOS] [OT] odd network question

Fri Aug 2 03:53:26 UTC 2019
Fred Smith <fredex at fcshome.stoneham.ma.us>

I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :)

My home router sends its logs to the rsyslog on my desktop system, and
from there I can learn all kinds of interesting (or disturbing) things.
I've written a really horrid shellscript (about 20 things piped together
with a temp file in the middle) to give me the count of DROP events for
specific incoming ports. (The "Description" field is lifted verbatim from
/etc/services.)

Count   Port    Description
-----   ----    -----------
140750  48825   
12251   23      telnet          23/tcp
10043   445     microsoft-ds    445/tcp
2869    1       tcpmux          1/tcp                           # TCP port service multiplexer
2478    9       discard         9/tcp           sink null
2154    8080    webcache        8080/tcp        http-alt        # WWW caching service
1990    5060    sip             5060/tcp                # SIP
1592    8089    
1452    8545    
1358    3389    ms-wbt-server   3389/tcp                # MS WBT Server
1275    443     https           443/tcp                         # http protocol over TLS/SSL
1275    81      
1258    5000    commplex-main   5000/tcp                #
1244    80      http            80/tcp          www www-http    # WorldWideWeb HTTP
1022    8291    
840     60001   
834     7547    cwmp            7547/tcp                # DSL Forum CWMP
821     1433    ms-sql-s        1433/tcp                        # Microsoft-SQL-Server
809     2323    3d-nfsd         2323/tcp                # 3d-nfsd
764     5555    personal-agent  5555/tcp                # Personal Agent

This is just the first screen of it, there are many more. The data
compiled here is for the last month (rsyslog is keeping the current
log plus four older logs). I find it disturbing that there were 12251
attempts at telnet during that time, 2154 on 8080, and so forth. either
I'm some kind of special/hot target, or else everybody gets this kind
of crap and may not even know it.

But the one thing I mean to ask about here is the very first item,
140,750 attempts at port 48825. What the heck is port 48825? I can't
find any reference to anything that uses it online, but for some reason
it is extremely popular, at least amongst the turkeys trying to break
into my network!

A little more grepping:

grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less

reveals that of all the source addresses trying to poke at 48825,
there are 193 unique addresses. Either this indicates a heck of a lot
of sites having at my firewall, or that some few sites are all spoofing
their addresses. I can sort of understand people whaling away at ports
that may conceal gold, from their warped point of view, but I haven't a
clue why so many people would be beating on some apparently unassigned
and unused port.

Anyone got any clues?

Thanks in advance!

Fred
-- 
-------------------------------------------------------------------------------
 .----    Fred Smith   /              
( /__  ,__.   __   __ /  __   : /     
 /    /  /   /__) /  /  /__) .+'           Home: fredex at fcshome.stoneham.ma.us 
/    /  (__ (___ (__(_ (___ / :__                                 781-438-5471 
-------------------------------- Jude 1:24,25 ---------------------------------