Hosting Provided By

RE: strange logs -- tcp port 16166

From: Jerry Shenk <jshenk(at)decommunications.com>
Date: Wed Jun 25 2003 - 07:39:43 EDT

That source is in a reserved block of addresses isn't it? I tried to traceroute to it from here and 3 hops out, it got ICMP unreachables. It seems like this probably isn't related but I've had an address in Japan hitting on of my boxes for about 6 weeks. That too started real slow and is not hitting a couple times an hour. The source and destination ports are always the same. The internal IP address is even an unused one. There is a SHADOW IDS installed that grabs all headers - it doesn't show any traffic to that entire C.

Here's a typical (only thing that changes is the time) log entry from the edge router that I've been seeing:

Jun 25 00:10:04 list 106 tcp 219.46.246.242(39770) -> xx.xxx.xxx.133(44197), 1 pkt

-----Original Message-----
From: Jiang Peng [mailto:pengf@hotmail.com] Sent: Tuesday, June 24, 2003 11:00 PM
To: incidents@lists.securityfocus.com
Subject: strange logs -- tcp port 16166

Hi all,

For the last month, I received the following log message continuelly = from the PIX firewall:

%PIX-4-106023: Deny tcp src outside:87.104.162.116/64604 dst = inside:hostname/16166 by access-group "out side_access_in"

At first, there were only a couple of messages every day, but from last = week, there are 30-40 messages every day. All the message has the same source, source port and same destination, = destination port. The destination is our external DNS server. I checked = google, but still no idea what kind of services running on port 16166.

Do you need help?

Does anyone have any clues for this message?

Thanks,
Jiang

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Received on Wed Jun 25 12:20:11 2003

This message: [ Message body ]
Next message: Cotter, Joe: "RE: War Dial on my PBX"
Previous message: Peter Busser: "Re: Intrusec 55808 Trojan Analysis"
In reply to: Jiang Peng: "strange logs -- tcp port 16166"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:09 EDT