[prev in list] [next in list] [prev in thread] [next in thread]
List: ipcop-user
Subject: Re: [IPCop-user] Anyone else seeing a crapload of udp port 50096
From: Tommy <big.negrow () gmail ! com>
Date: 2008-12-29 23:40:31
Message-ID: 586dc6e90812291540p5fc87fb3pe7ae667f29b202a9 () mail ! gmail ! com
[Download RAW message or body]
1. Destination port
2. Nope.. nothing on my network has any services running on that port.
I haven't pissed anyone off lately that would be so determined...
especially considering according to my logs this has been going on
since mid-November and I've just now noticed it.
The random sourced IPs making these connections come from all over the
place... making me wonder if some sort of worm is out there banging
away at certain providers.
Since my posting, I have implemented a drop rule for the port and protocol.
As of 5:30pm Central:
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
4931 660K DROP udp -- eth2 * 0.0.0.0/0
0.0.0.0/0 udp dpt:50096
I'm usually not so paranoid about these things since the firewall does
it's job... but to see this many attempts for this long from so many
addresses, one has to ask around if there's something I'm missing.
Thanks
Tommy
On Mon, Dec 29, 2008 at 5:30 PM, G.W. Haywood <ged@jubileegroup.co.uk> wrote:
> Hi there,
>
> On Mon, 29 Dec 2008 Tommy wrote:
>
>> Looked through my logs today to see a TON of systems attempting to
>> connect via udp port 50096.
>
> Is that source port 50096 or destination port 50096?
>
> Is anything listening on such high numbered ports? I more often see
> attempts to send packets to destination ports like 1026 and 1027, from
> which I deduce that something is trying to use some well-known remote
> exploits to compromise the Windows machines that I don't have.
>
> Some real numbers might be more useful than just "a TON". Is there
> any particular pattern to the IPs which attempt to connect? Can you
> just drop them without logging and forget about it? Better, why not
> collect some statistics over a reasonable period of time to see what's
> 'normal' for your traffic - and let us see the difference?
>
>> Basic google search turns up nothing from a security perspective,
>> but I'm wondering if there's a worm out there causing havoc for the
>> holidays. Has anyone else seen such activity?
>
> There are some real numbers here:
>
> http://isc.sans.org/top10.html
>
> and you can check particular ports here:
>
> http://isc.sans.org/portreport.html
>
> which tells me that 50096 is near the bottom of the popularity charts.
>
> Do you think you might have upset someone? :)
>
> Basically, if you worry about it every time something tries to get past
> your firewall you'll spend the rest of your life worrying. Don't do it.
>
> --
>
> 73,
> Ged.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> IPCop-user mailing list
> IPCop-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipcop-user
>
--
"A free people ought not only to be armed and disciplined, but they
should have sufficient arms and ammunition to maintain a status of
independence from any who might attempt to abuse them, which would
include their own government."
~George Washington
------------------------------------------------------------------------------
_______________________________________________
IPCop-user mailing list
IPCop-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic