Strange things one finds in logs

[Freston]

Often I ignore the strange things in my logs, as I've found it is just part of the background noise of the internet. I'm quite used to getting multiple attempts per day on port 22, 23 and 445 or ${RANDOM}. But sometimes something stands out.

Just now I was looking at the traffic today, when I notices something peculiar. There's eight unique IP's (all originating from the former Soviet Union; Russia, Ukraine, etc) all targeting port 41810 in tandem. I mean by that, they all started about the same time and they all keep coming. One more than the other, but still.


Now I've had before that my IP changed, and that that led to a peak in attempts. Probably someones DNS pointing to my new IP or something. But that is not the case now.

Also, I'm not worried. I have nothing running on that port. And my blacklister works as it's supposed to.



But I am curious, I can not understand what's going on here. What is happening here. Why do all these eastern Europe IP addresses all of a sudden decide to target some unused port. And what does it mean that it's seemingly coordinated? Why would this be happening? Is there a benign explanation?



It all started less than an hour ago, and it's still going on as I type this:

Code:

freston@machine# lookatlog --contact --hostile --port-info --target-port=41810 \
--nocolor --anonymize --blacklist-check

92.113.xxx.xxx	visits 70 times
  times	port
     70 41810
First contact:	Jun 12 13:47:35
 Last contact:	Jun 12 14:48:23
Blacklisted at	Jun 12
-------------------------------
77.247.xxx.xxx	visits 33 times
  times	port
     33 41810
First contact:	Jun 12 13:44:54
 Last contact:	Jun 12 14:22:55
Blacklisted at	Jun 12
-------------------------------
188.123.xxx.xxx	visits 21 times
  times	port
     21 41810
First contact:	Jun 12 13:52:12
 Last contact:	Jun 12 14:30:34
Excluded based on country range
-------------------------------
95.59.xxx.xxx	visits 15 times
  times	port
     15 41810
First contact:	Jun 12 14:02:31
 Last contact:	Jun 12 14:38:00
Blacklisted at	Jun 12
-------------------------------
92.127.xxx.xxx	visits 15 times
  times	port
     15 41810
First contact:	Jun 12 14:00:14
 Last contact:	Jun 12 14:23:20
Blacklisted at	Jun 12
-------------------------------
95.24.xxx.xxx	visits 11 times
  times	port
     11 41810
First contact:	Jun 12 14:18:31
 Last contact:	Jun 12 14:28:15
Blacklisted at	Jun 12
-------------------------------
92.62.xxx.xxx	visits 9 times
  times	port
      9 41810
First contact:	Jun 12 13:48:48
 Last contact:	Jun 12 13:52:09
Blacklisted at	Jun 12
-------------------------------
62.63.xxx.xxx	visits 4 times
  times	port
      4 41810
First contact:	Jun 12 13:48:47
 Last contact:	Jun 12 13:48:58
Unmarked
-------------------------------

Again, I'm not worried. And it's not so much this example that I want resolved. It's just, I'm looking for some explanation in general terms and I can't come up with one. Googling the port number came up with nothing.


And in case you are wondering... no I'm not bored on this beautiful Saturday, I'm cleaning my house and got just a little distracted

[Rubberman]

The only thing I could find is that some games such as "Brothers in Arms" use ports in this range. Maybe some blackhat is looking for exploitable holes on systems running these games? Just a really big SWAG...

[Freston]

Yeah, that would make sense. I've not seem 'em back either. Just a couple of guys thinking my IP was a gaming server. Ok, thanks for your reply