[CentOS] [OT] odd network question

Sat Aug 3 15:36:42 UTC 2019
Kay Schenk <kay.schenk at gmail.com>

Can't help with the mystery port 48825. But I find your approach truly 
creative!

-- Kay


On 8/1/19 8:53 PM, Fred Smith wrote:
> I know this is OT, but I'm not sure where else to ask. I can hope for fogiveness! :)
>
> My home router sends its logs to the rsyslog on my desktop system, and
> from there I can learn all kinds of interesting (or disturbing) things.
> I've written a really horrid shellscript (about 20 things piped together
> with a temp file in the middle) to give me the count of DROP events for
> specific incoming ports. (The "Description" field is lifted verbatim from
> /etc/services.)
>
> Count   Port    Description
> -----   ----    -----------
> 140750  48825
> 12251   23      telnet          23/tcp
> 10043   445     microsoft-ds    445/tcp
> 2869    1       tcpmux          1/tcp                           # TCP port service multiplexer
> 2478    9       discard         9/tcp           sink null
> 2154    8080    webcache        8080/tcp        http-alt        # WWW caching service
> 1990    5060    sip             5060/tcp                # SIP
> 1592    8089
> 1452    8545
> 1358    3389    ms-wbt-server   3389/tcp                # MS WBT Server
> 1275    443     https           443/tcp                         # http protocol over TLS/SSL
> 1275    81
> 1258    5000    commplex-main   5000/tcp                #
> 1244    80      http            80/tcp          www www-http    # WorldWideWeb HTTP
> 1022    8291
> 840     60001
> 834     7547    cwmp            7547/tcp                # DSL Forum CWMP
> 821     1433    ms-sql-s        1433/tcp                        # Microsoft-SQL-Server
> 809     2323    3d-nfsd         2323/tcp                # 3d-nfsd
> 764     5555    personal-agent  5555/tcp                # Personal Agent
>
> This is just the first screen of it, there are many more. The data
> compiled here is for the last month (rsyslog is keeping the current
> log plus four older logs). I find it disturbing that there were 12251
> attempts at telnet during that time, 2154 on 8080, and so forth. either
> I'm some kind of special/hot target, or else everybody gets this kind
> of crap and may not even know it.
>
> But the one thing I mean to ask about here is the very first item,
> 140,750 attempts at port 48825. What the heck is port 48825? I can't
> find any reference to anything that uses it online, but for some reason
> it is extremely popular, at least amongst the turkeys trying to break
> into my network!
>
> A little more grepping:
>
> grep 'DPT=48825' Firewall-Log* | grep -o "SRC=[09123456789.]*" | sort -u -t '.' -k "1.5g,1g" | less
>
> reveals that of all the source addresses trying to poke at 48825,
> there are 193 unique addresses. Either this indicates a heck of a lot
> of sites having at my firewall, or that some few sites are all spoofing
> their addresses. I can sort of understand people whaling away at ports
> that may conceal gold, from their warped point of view, but I haven't a
> clue why so many people would be beating on some apparently unassigned
> and unused port.
>
> Anyone got any clues?
>
> Thanks in advance!
>
> Fred