Find the answer to your Linux question:
Results 1 to 3 of 3
Often I ignore the strange things in my logs, as I've found it is just part of the background noise of the internet. I'm quite used to getting multiple attempts ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049

    Strange things one finds in logs


    Often I ignore the strange things in my logs, as I've found it is just part of the background noise of the internet. I'm quite used to getting multiple attempts per day on port 22, 23 and 445 or ${RANDOM}. But sometimes something stands out.

    Just now I was looking at the traffic today, when I notices something peculiar. There's eight unique IP's (all originating from the former Soviet Union; Russia, Ukraine, etc) all targeting port 41810 in tandem. I mean by that, they all started about the same time and they all keep coming. One more than the other, but still.


    Now I've had before that my IP changed, and that that led to a peak in attempts. Probably someones DNS pointing to my new IP or something. But that is not the case now.

    Also, I'm not worried. I have nothing running on that port. And my blacklister works as it's supposed to.



    But I am curious, I can not understand what's going on here. What is happening here. Why do all these eastern Europe IP addresses all of a sudden decide to target some unused port. And what does it mean that it's seemingly coordinated? Why would this be happening? Is there a benign explanation?



    It all started less than an hour ago, and it's still going on as I type this:
    Code:
    freston@machine# lookatlog --contact --hostile --port-info --target-port=41810 \
    --nocolor --anonymize --blacklist-check
    
    92.113.xxx.xxx	visits 70 times
      times	port
         70 41810
    First contact:	Jun 12 13:47:35
     Last contact:	Jun 12 14:48:23
    Blacklisted at	Jun 12
    -------------------------------
    77.247.xxx.xxx	visits 33 times
      times	port
         33 41810
    First contact:	Jun 12 13:44:54
     Last contact:	Jun 12 14:22:55
    Blacklisted at	Jun 12
    -------------------------------
    188.123.xxx.xxx	visits 21 times
      times	port
         21 41810
    First contact:	Jun 12 13:52:12
     Last contact:	Jun 12 14:30:34
    Excluded based on country range
    -------------------------------
    95.59.xxx.xxx	visits 15 times
      times	port
         15 41810
    First contact:	Jun 12 14:02:31
     Last contact:	Jun 12 14:38:00
    Blacklisted at	Jun 12
    -------------------------------
    92.127.xxx.xxx	visits 15 times
      times	port
         15 41810
    First contact:	Jun 12 14:00:14
     Last contact:	Jun 12 14:23:20
    Blacklisted at	Jun 12
    -------------------------------
    95.24.xxx.xxx	visits 11 times
      times	port
         11 41810
    First contact:	Jun 12 14:18:31
     Last contact:	Jun 12 14:28:15
    Blacklisted at	Jun 12
    -------------------------------
    92.62.xxx.xxx	visits 9 times
      times	port
          9 41810
    First contact:	Jun 12 13:48:48
     Last contact:	Jun 12 13:52:09
    Blacklisted at	Jun 12
    -------------------------------
    62.63.xxx.xxx	visits 4 times
      times	port
          4 41810
    First contact:	Jun 12 13:48:47
     Last contact:	Jun 12 13:48:58
    Unmarked
    -------------------------------
    Again, I'm not worried. And it's not so much this example that I want resolved. It's just, I'm looking for some explanation in general terms and I can't come up with one. Googling the port number came up with nothing.


    And in case you are wondering... no I'm not bored on this beautiful Saturday, I'm cleaning my house and got just a little distracted
    Can't tell an OS by it's GUI

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,662
    The only thing I could find is that some games such as "Brothers in Arms" use ports in this range. Maybe some blackhat is looking for exploitable holes on systems running these games? Just a really big SWAG...
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    Yeah, that would make sense. I've not seem 'em back either. Just a couple of guys thinking my IP was a gaming server. Ok, thanks for your reply
    Can't tell an OS by it's GUI

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •