|
Security Incidents
mailing list archives
What's up with 3014/tcp?
From: Brian Coyle <brian () linuxwidows com>
Date: Fri, 8 Nov 2002 01:20:39 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What's with the sudden (for me anyway) explosion of activity on port 3014/tcp?
(Broker Service? what's that? Google wasn't much help)...
http://isc.incidents.org/port_details.html?port=3014 shows almost no
activity for the past month or so.
I've gone from nothing (or near nothing) on this port to the flurry of
activity shown in the report below. This is a residential DSL circuit.
My first packet was received on Nov 7 03:41:14 (ntp sync'd EST) from
24.51.45.230. I'm dropping inbound SYNs so unfortunately I don't have
any packet captures.
A quick spot check, shows the IP addresses (if not spoofed) to be all over
the place (.edu's, dial-ups, & dsl, cable). TTLs in the ipchains reject log
are around 110-120. I haven't had a chance to fingerprint the sources or
validate the TTLs yet.
Is this just me or does anyone else have correlating data? If it _is_
just me, at least it's something a little more interesting than the
P2P, sql, ssh/ssl and proxy scans I've logging for the past year or so... ;)
Brian Coyle, GCIA
- ---------- Forwarded Message ----------
To: brian
Subject: SECURITY -- Top Attackers Summary
Using /var/log/messages
Report from Nov 3 04:03:31 thru Nov 7 23:58:00
Attacker DST Port Port Count IP TOTAL
129.110.39.39 3014/tcp 1493 1493
62.90.241.54 3014/tcp 965 965
66.233.122.11 1214/tcp 848 848
207.172.137.31 3014/tcp 369 369
64.219.128.113 3014/tcp 366 366
24.168.10.201 3014/tcp 323 323
217.81.205.251 3014/tcp 285 285
198.29.3.42 3014/tcp 278 278
139.67.239.60 3014/tcp 240 240
200.77.60.241 1214/tcp 233 233
130.111.254.244 3014/tcp 216 216
63.110.36.63 3014/tcp 204 204
24.51.45.230 3014/tcp 201 201
217.88.231.73 3014/tcp 186 186
217.125.102.243 3014/tcp 180 180
213.173.219.190 3014/tcp 176 176
67.118.45.21 1214/tcp 171 171
217.229.149.134 3014/tcp 168 168
129.118.190.184 3014/tcp 164 164
211.121.24.125 3014/tcp 143 143
147.126.50.108 3014/tcp 138 138
141.233.45.207 3014/tcp 129 129
211.121.18.252 3014/tcp 120 120
137.141.245.224 3014/tcp 114 114
66.73.6.168 3014/tcp 102 102
62.211.222.240 3014/tcp 94 94
148.240.72.244 3014/tcp 84 84
66.26.121.188 3014/tcp 80 80
198.107.59.2 3014/tcp 75 75
12.229.190.138 3014/tcp 75 75
213.84.215.175 3014/tcp 69 69
217.235.74.92 3014/tcp 60 60
148.240.64.14 3014/tcp 57 57
192.117.97.116 3014/tcp 53 53
217.136.139.166 3014/tcp 49 49
64.45.232.196 3014/tcp 48 48
212.182.112.227 3014/tcp 37 37
204.32.18.6 3014/tcp 36 36
217.35.54.196 3014/tcp 32 32
212.0.157.120 3014/tcp 32 32
149.149.201.92 3014/tcp 30 30
172.183.26.221 3014/tcp 28 28
67.32.85.26 3014/tcp 27 27
141.225.78.83 3014/tcp 27 27
4.65.44.125 3014/tcp 24 24
172.146.57.56 1214/tcp 24 24
218.186.182.57 3014/tcp 22 22
217.226.31.238 3014/tcp 18 18
172.181.85.122 3014/tcp 18 18
163.6.106.70 3014/tcp 18 18
172.179.68.55 3014/tcp 17 17
217.136.75.54 3014/tcp 16 16
172.147.169.74 3014/tcp 15 15
80.136.121.204 3014/tcp 12 12
66.125.93.183 3014/tcp 12 12
172.168.250.35 3014/tcp 9 12
172.168.250.35 80/tcp 3 12
137.132.222.181 3014/tcp 12 12
64.91.166.114 3014/tcp 11 11
217.136.73.234 3014/tcp 11 11
172.186.93.158 3014/tcp 10 10
80.132.91.153 3014/tcp 9 9
172.176.76.130 3014/tcp 9 9
150.208.49.251 3014/tcp 9 9
24.67.234.200 3014/tcp 8 8
24.49.86.49 3014/tcp 8 8
217.125.117.62 3014/tcp 8 8
200.199.226.140 3014/tcp 8 8
67.112.21.26 3014/tcp 6 6
4.19.238.120 3014/tcp 6 6
203.216.50.148 3014/tcp 6 6
200.45.202.203 1214/tcp 6 6
144.96.16.93 3014/tcp 6 6
141.155.18.15 8080/tcp 1 6
141.155.18.15 8000/tcp 1 6
141.155.18.15 3128/tcp 1 6
141.155.18.15 1080/tcp 1 6
141.155.18.15 80/tcp 1 6
141.155.18.15 25/tcp 1 6
134.126.219.146 6346/tcp 6 6
80.192.225.228 3014/tcp 5 5
64.91.162.61 3014/tcp 4 4
63.101.133.1 3014/tcp 4 4
200.37.74.60 3014/tcp 4 4
81.98.113.242 1433/tcp 3 3
81.100.227.8 27374/tcp 3 3
67.112.163.90 1433/tcp 3 3
66.134.108.252 3014/tcp 3 3
65.82.175.176 3014/tcp 3 3
65.215.15.211 1433/tcp 3 3
62.168.26.2 1433/tcp 3 3
61.73.44.136 25/tcp 3 3
61.73.108.172 25/tcp 3 3
61.100.19.253 25/tcp 3 3
4.60.157.49 6346/tcp 3 3
38.221.19.33 1433/tcp 3 3
24.90.176.48 1433/tcp 3 3
24.162.43.86 445/tcp 3 3
218.145.173.242 1433/tcp 3 3
217.226.211.248 3014/tcp 3 3
217.136.81.249 3014/tcp 3 3
211.49.193.126 1433/tcp 3 3
211.49.174.221 25/tcp 3 3
211.237.116.40 1433/tcp 3 3
211.226.107.87 3014/tcp 3 3
211.141.65.15 1433/tcp 3 3
210.243.199.195 1433/tcp 3 3
210.222.9.61 1433/tcp 3 3
210.205.200.75 25/tcp 3 3
210.113.65.9 1433/tcp 3 3
203.140.201.146 80/tcp 3 3
172.181.212.128 3014/tcp 3 3
172.180.114.191 3014/tcp 3 3
172.175.121.20 3014/tcp 3 3
172.161.35.65 3014/tcp 3 3
172.146.209.231 3014/tcp 3 3
172.132.238.159 3014/tcp 3 3
151.36.176.190 1433/tcp 3 3
147.9.164.167 3014/tcp 3 3
142.176.143.4 1433/tcp 3 3
141.85.0.80 3014/tcp 3 3
139.57.218.107 3014/tcp 3 3
134.48.178.27 3014/tcp 3 3
[snipped]
- --
If you're not living on the edge, you're taking up too much space...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php
iD8DBQE9y1e4ER3MuHUncBsRAqOPAJwKETt7zWJ3lwrjCZ+lkw/3JvsEwgCfROth
yyqWxh6pHj58oQoVW2ExCWI=
=NvNU
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- What's up with 3014/tcp? Brian Coyle (Nov 08)
|
Intro
