1026 gone wild!

***Tedob1*** · May 24th, 2003, 05:18 PM

This one has me kinda stumped. Port 1026 scanns are nothing new but this dude/dudette really has a passion for it. Here's a trimmed (to fit)portion on Tiny's log from around 9 last night (GMT -5) until 10:30 this morning. the rules are either named for IP ranges or ports i want to watch...i have no life.

20:57:19] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
21:00:27] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
21:02:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
21:05:04] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
21:06:51] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
22:22:31] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
22:24:47] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
22:24:50] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
22:24:56] Rule '218_222Block': Blocked: In TCP, 218.98.72.126:4233->localhost:80
22:25:23] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
22:27:59] Rule '210_213Block': Blocked: In UDP, 210.5.22.10:29336->localhost:1026
22:30:21] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
22:32:09] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
22:34:14] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
22:54:14] Rule '17300': Permitted: In TCP, 172.150.165.186:4951->localhost:17300
23:23:28] Rule '17300': Permitted: In TCP, 68.116.204.164:1167->localhost:17300
23:31:51] Rule 'UUnet1 Not US': Blocked: In TCP, 61.85.191.46:4880->localhost:17300
23:45:53] Rule '17300': Permitted: In TCP, 172.174.57.247:3222->localhost:17300
23:45:55] Rule '17300': Permitted: In TCP, 172.174.57.247:3222->localhost:17300
00:26:40] Rule '17300': Permitted: In TCP, 172.175.26.23:3140->localhost:17300
01:22:18] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
01:25:08] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
01:27:44] Rule '210_213Block': Blocked: In UDP, 210.5.22.19:31115->localhost:1026
01:30:07] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
01:31:56] Rule '210_213Block': Blocked: In UDP, 210.5.22.10:29336->localhost:1026
01:34:01] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
01:38:07] Rule '17300': Permitted: In TCP, 172.200.219.4:4596->localhost:17300
01:38:08] Rule '17300': Permitted: In TCP, 172.200.219.4:4596->localhost:17300
01:41:36] Rule '218_222Block': Blocked: In TCP, 219.9.2.31:3806->localhost:17300
01:59:40] Rule '17300': Blocked: In TCP, 68.59.116.167:1547->localhost:17300
03:19:18] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
03:19:21] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
03:19:28] Rule '200_203Block': Blocked: In TCP, 200.176.78.106:3839->localhost:80
03:30:38] Rule '17300': Blocked: In TCP, 66.138.229.189:1221->localhost:17300
04:11:04] Rule '210_213Block': Blocked: In TCP, 211.49.112.12:3182->localhost:17300
04:22:04] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
04:24:56] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
04:27:33] Rule '210_213Block': Blocked: In UDP, 210.5.22.19:31115->localhost:1026
04:29:55] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
04:31:45] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
04:33:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
04:47:38] Rule 'UUnet2 Not US': Blocked: In UDP, 62.147.243.224:28432->localhost:28431
05:02:24] Rule 'UUnet1 Not US': Blocked: In TCP, 61.174.144.173:40492->localhost:80
05:02:28] Rule 'UUnet1 Not US': Blocked: In TCP, 61.174.144.173:40492->localhost:80
05:58:14] Rule '17300': Blocked: In TCP, 66.136.147.176:1225->localhost:17300
06:44:11] Rule '17300': Blocked: In TCP, 68.37.86.102:3939->localhost:17300
06:44:14] Rule '17300': Blocked: In TCP, 68.37.86.102:3939]->localhost:17300
07:10:07] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
07:10:10] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
07:10:16] Rule 'UUnet1 Not US': Blocked: In TCP, 61.153.227.211:8569->localhost:80
07:21:57] Rule '210_213Block': Blocked: In UDP, 210.5.22.20:28986->localhost:1026
07:24:49] Rule '210_213Block': Blocked: In UDP, 210.5.22.22:31354->localhost:1026
07:27:25] Rule '210_213Block': Blocked: In UDP, 210.5.22.11:31334->localhost:1026
07:29:47] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
07:31:38] Rule '210_213Block': Blocked: In UDP, 210.5.22.23:29119->localhost:1026
07:33:42] Rule '210_213Block': Blocked: In UDP, 210.5.22.22:31354->localhost:1026
09:56:38] Rule '17300': Blocked: In TCP, 69.14.109.97:2265->localhost:17300
10:21:41] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026
10:24:34] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
10:27:10] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
10:29:32] Rule '210_213Block': Blocked: In UDP, 210.5.22.17:30109->localhost:1026
10:31:22] Rule '210_213Block': Blocked: In UDP, 210.5.22.21:32007->localhost:1026
10:33:26] Rule '210_213Block': Blocked: In UDP, 210.5.22.18:30657->localhost:1026

Notice 210.5.22.(plus one of these: 10, 11, 17, 18, 19, 20, 21, 22 , 23)

probes in groups of 5 or 6:

Start Used
20:57 (11, 23, 21, 18, 21, 17)
22:25 (21, 10, 23, 11, 17) <--only 5
01:22 (17, 18, 19, 20, 10, 18)
04:22 (22, 23, 19, 23, 21, 20)
07:21 (20, 22, 11, 18, 23, 22)
10:21 (18, 21, 21, 17, 21, 18)

Not one appears in all scans.

As im typing this a blocked 'time exceeded' (IGMP [11]) came in from 210.5.22.234

What's going on. Any guesses?

Thread: 1026 gone wild!

Thread Tools

Display

Hybrid View

1026 gone wild!

Posting Permissions