[CentOS] [OT] odd network question

Fri Aug 2 07:22:06 UTC 2019
Pete Biggs <pete at biggs.org.uk>

> This is just the first screen of it, there are many more. The data
> compiled here is for the last month (rsyslog is keeping the current
> log plus four older logs). I find it disturbing that there were 12251
> attempts at telnet during that time, 2154 on 8080, and so forth. either
> I'm some kind of special/hot target, or else everybody gets this kind
> of crap and may not even know it.

The raw internet is a very noisy, nasty place. That's why we have
firewalls!  FYI, telnet (as you realise) is old, but the old machines
that are still running it are eminently and easily hackable - it may be
your IP has got on a list of old SGI boxes. 8080 probes are looking for
open web proxies, 5060 is looking for open voip systems and so on.

> 
> But the one thing I mean to ask about here is the very first item,
> 140,750 attempts at port 48825. What the heck is port 48825? I can't
> find any reference to anything that uses it online, but for some reason
> it is extremely popular, at least amongst the turkeys trying to break
> into my network!
> 
> reveals that of all the source addresses trying to poke at 48825,
> there are 193 unique addresses. Either this indicates a heck of a lot
> of sites having at my firewall, or that some few sites are all spoofing
> their addresses. I can sort of understand people whaling away at ports
> that may conceal gold, from their warped point of view, but I haven't a
> clue why so many people would be beating on some apparently unassigned
> and unused port.
> 
As you say 48825 is not a known port and too low to be a dynamic port. 
I suspect it's a command/control port for a botnet - they aren't
particular renowned for their elegance and subtlety and so it might be
that your IP address (if it's a DSL line) in the past had been
compromised and was running a bot controller and all the bot workers on
hacked machines are trying to contact their controller to find out what
to do.  Certainly all the monitoring sites I've looked at see almost
zero traffic on that port (zero = less than 10 packets a day).

Just be thankful that you have a working firewall in place!

P.