Hosting Provided By

What's up with 3014/tcp?

From: Brian Coyle <brian(at)linuxwidows.com>
Date: Fri Nov 08 2002 - 01:20:39 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What's with the sudden (for me anyway) explosion of activity on port 3014/tcp? (Broker Service? what's that? Google wasn't much help)...

http://isc.incidents.org/port_details.html?port=3014 shows almost no activity for the past month or so.

I've gone from nothing (or near nothing) on this port to the flurry of activity shown in the report below. This is a residential DSL circuit.

My first packet was received on Nov 7 03:41:14 (ntp sync'd EST) from 24.51.45.230. I'm dropping inbound SYNs so unfortunately I don't have any packet captures.

A quick spot check, shows the IP addresses (if not spoofed) to be all over the place (.edu's, dial-ups, & dsl, cable). TTLs in the ipchains reject log are around 110-120. I haven't had a chance to fingerprint the sources or validate the TTLs yet.

Is this just me or does anyone else have correlating data? If it _is_ just me, at least it's something a little more interesting than the P2P, sql, ssh/ssl and proxy scans I've logging for the past year or so... ;)

Brian Coyle, GCIA

---------- Forwarded Message ---------- To: brian Subject: SECURITY -- Top Attackers Summary

Do you need help?

Using /var/log/messages
Report from Nov 3 04:03:31 thru Nov 7 23:58:00

Attacker           DST Port     Port Count  IP TOTAL
129.110.39.39      3014/tcp        1493       1493
62.90.241.54       3014/tcp         965        965
66.233.122.11      1214/tcp         848        848
207.172.137.31     3014/tcp         369        369
64.219.128.113     3014/tcp         366        366
24.168.10.201      3014/tcp         323        323
217.81.205.251     3014/tcp         285        285
198.29.3.42        3014/tcp         278        278
139.67.239.60      3014/tcp         240        240
200.77.60.241      1214/tcp         233        233
130.111.254.244    3014/tcp         216        216
63.110.36.63       3014/tcp         204        204
24.51.45.230       3014/tcp         201        201
217.88.231.73      3014/tcp         186        186
217.125.102.243    3014/tcp         180        180
213.173.219.190    3014/tcp         176        176
67.118.45.21       1214/tcp         171        171
217.229.149.134    3014/tcp         168        168
129.118.190.184    3014/tcp         164        164
211.121.24.125     3014/tcp         143        143
147.126.50.108     3014/tcp         138        138
141.233.45.207     3014/tcp         129        129
211.121.18.252     3014/tcp         120        120
137.141.245.224    3014/tcp         114        114
66.73.6.168        3014/tcp         102        102
62.211.222.240     3014/tcp          94         94
148.240.72.244     3014/tcp          84         84
66.26.121.188      3014/tcp          80         80
198.107.59.2       3014/tcp          75         75
12.229.190.138     3014/tcp          75         75
213.84.215.175     3014/tcp          69         69
217.235.74.92      3014/tcp          60         60
148.240.64.14      3014/tcp          57         57
192.117.97.116     3014/tcp          53         53
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
217.136.139.166    3014/tcp          49         49
64.45.232.196      3014/tcp          48         48
212.182.112.227    3014/tcp          37         37
204.32.18.6        3014/tcp          36         36
217.35.54.196      3014/tcp          32         32
212.0.157.120      3014/tcp          32         32
149.149.201.92     3014/tcp          30         30
172.183.26.221     3014/tcp          28         28
67.32.85.26        3014/tcp          27         27
141.225.78.83      3014/tcp          27         27
4.65.44.125        3014/tcp          24         24
172.146.57.56      1214/tcp          24         24
218.186.182.57     3014/tcp          22         22
217.226.31.238     3014/tcp          18         18
172.181.85.122     3014/tcp          18         18
163.6.106.70       3014/tcp          18         18
172.179.68.55      3014/tcp          17         17
217.136.75.54      3014/tcp          16         16
172.147.169.74     3014/tcp          15         15
80.136.121.204     3014/tcp          12         12
66.125.93.183      3014/tcp          12         12
172.168.250.35     3014/tcp           9         12
172.168.250.35       80/tcp           3         12
137.132.222.181    3014/tcp          12         12
64.91.166.114      3014/tcp          11         11
217.136.73.234     3014/tcp          11         11
172.186.93.158     3014/tcp          10         10
80.132.91.153      3014/tcp           9          9
172.176.76.130     3014/tcp           9          9
150.208.49.251     3014/tcp           9          9
24.67.234.200      3014/tcp           8          8
24.49.86.49        3014/tcp           8          8
217.125.117.62     3014/tcp           8          8
200.199.226.140    3014/tcp           8          8
67.112.21.26       3014/tcp           6          6
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
4.19.238.120       3014/tcp           6          6
203.216.50.148     3014/tcp           6          6
200.45.202.203     1214/tcp           6          6
144.96.16.93       3014/tcp           6          6
141.155.18.15      8080/tcp           1          6
141.155.18.15      8000/tcp           1          6
141.155.18.15      3128/tcp           1          6
141.155.18.15      1080/tcp           1          6
141.155.18.15        80/tcp           1          6
141.155.18.15        25/tcp           1          6
134.126.219.146    6346/tcp           6          6
80.192.225.228     3014/tcp           5          5
64.91.162.61       3014/tcp           4          4
63.101.133.1       3014/tcp           4          4
200.37.74.60       3014/tcp           4          4
81.98.113.242      1433/tcp           3          3
81.100.227.8      27374/tcp           3          3
67.112.163.90      1433/tcp           3          3
66.134.108.252     3014/tcp           3          3
65.82.175.176      3014/tcp           3          3
65.215.15.211      1433/tcp           3          3
62.168.26.2        1433/tcp           3          3
61.73.44.136         25/tcp           3          3
61.73.108.172        25/tcp           3          3
61.100.19.253        25/tcp           3          3
4.60.157.49        6346/tcp           3          3
38.221.19.33       1433/tcp           3          3
24.90.176.48       1433/tcp           3          3
24.162.43.86        445/tcp           3          3
218.145.173.242    1433/tcp           3          3
217.226.211.248    3014/tcp           3          3
217.136.81.249     3014/tcp           3          3
211.49.193.126     1433/tcp           3          3
211.49.174.221       25/tcp           3          3
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
211.237.116.40     1433/tcp           3          3
211.226.107.87     3014/tcp           3          3
211.141.65.15      1433/tcp           3          3
210.243.199.195    1433/tcp           3          3
210.222.9.61       1433/tcp           3          3
210.205.200.75       25/tcp           3          3
210.113.65.9       1433/tcp           3          3
203.140.201.146      80/tcp           3          3
172.181.212.128    3014/tcp           3          3
172.180.114.191    3014/tcp           3          3
172.175.121.20     3014/tcp           3          3
172.161.35.65      3014/tcp           3          3
172.146.209.231    3014/tcp           3          3
172.132.238.159    3014/tcp           3          3
151.36.176.190     1433/tcp           3          3
147.9.164.167      3014/tcp           3          3
142.176.143.4      1433/tcp           3          3
141.85.0.80        3014/tcp           3          3
139.57.218.107     3014/tcp           3          3
134.48.178.27      3014/tcp           3          3

[snipped]

-- If you're not living on the edge, you're taking up too much space...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux) Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php

iD8DBQE9y1e4ER3MuHUncBsRAqOPAJwKETt7zWJ3lwrjCZ+lkw/3JvsEwgCfROth yyqWxh6pHj58oQoVW2ExCWI=
=NvNU
-----END PGP SIGNATURE-----

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Nov 8 23:09:40 2002

This message: [ Message body ]
Next message: randall perry: "IIS and leech"
Previous message: Hernan Otero: "Re: Ip spoof from 0.0.0.0"
In reply to Omar Herrera: "RE: Ip spoof from 0.0.0.0"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT