Tweet
I have been querying my firewall logs and there were numerous attempts from some assclown (24.130.140.110) on TCP 2154. There seem to be spikes in attempts to this port by others, most recently in mid through late June. I have not been able to identify what this port is used for or what the interest is. Any ideas?
-
http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_question -
I've googled and googled with no solid results. I'm sure it's some trojan or backdoor someone (probably the attacker) has written recently that uses it. Just thought someone here might have an idea or come across it in their own logs.http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_question -
First one's free: http://www.iana.org/assignments/port-numbers (found by using the highly-obscure search term 'tcp port list' on Google).Originally posted by jounin
I've googled and googled with no solid results. I'm sure it's some trojan or backdoor someone (probably the attacker) has written recently that uses it.
Given that 2154 sits in the range between 2153 and 2158 that are listed as unallocated, it could be anything, and not necessarily a trojan. Run some traffic captures on it and see what you get.Comment
-
No Really?...Free?....Wow!... Of course I checked the above list and a few others. It's not there. I know it's unassigned, HENCE the post. I know it could be anything but thanks for pointing out the obvious. Anyone else have enlightenment on the obvious?Originally posted by skroo
First one's free: http://www.iana.org/assignments/port-numbers (found by using the highly-obscure search term 'tcp port list' on Google).
Given that 2154 sits in the range between 2153 and 2158 that are listed as unallocated, it could be anything, and not necessarily a trojan. Run some traffic captures on it and see what you get.http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_questionComment
-
No problem. Did you ever bother to consider that the blatantly obvious may actually be your answer?Originally posted by jounin
No Really?...Free?....Wow!... Of course I checked the above list and a few others. It's not there. I know it's unassigned, HENCE the post. I know it could be anything but thanks for pointing out the obvious.Comment
-
I do believe your answer has already been given in the post above by skooif it gets me nowhere, I'll go there proud; and I'm gonna go there free.Comment
-
As in, you haven't come across it or know what may be of interest? "It could be anything" That's my answer? I should have stopped looking when I had the same answer. How silly of me for asking. C'mon now. I know I'm not the only one who has seen this traffic: http://isc.incidents.org/port_detail...ays=40&Redraw=Originally posted by skroo
No problem. Did you ever bother to consider that the blatantly obvious may actually be your answer?http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_questionComment
-
No, don't be a tard.... sniff your traffic and find out for yourself, or give us a root shell and we'll gladly obligeif it gets me nowhere, I'll go there proud; and I'm gonna go there free.Comment
-
Well gosh beav ya think? I guess I mistakenly thought others who post here would actually have more intelligence than to say "we don't know, so our l337 answer is to say find out for yourself". Thanks for nothing. Sniffing and analyzing is great but efficiency is better. Why am I being a 'tard' because I'm trying not to reinvent the wheel here. If you don't know, then you don't know, and if no one else knows then I do have to find out for myself. I now have figured out I need to post the actual security discussions somewhere else and post the "hey dude isn't h4x0r cool!" discussions here.Originally posted by converge
No, don't be a tard.... sniff your traffic and find out for yourself, or give us a root shell and we'll gladly obligehttp://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_questionComment
-
Is it really so difficult that you can't find the answer on your own, or are you just too lazy to look for it?Originally posted by jounin
Well gosh beav ya think? I guess I mistakenly thought others who post here would actually have more intelligence than to say "we don't know, so our l337 answer is to say find out for yourself". Thanks for nothing. Sniffing and analyzing is great but efficiency is better. Why am I being a 'tard' because I'm trying not to reinvent the wheel here. If you don't know, then you don't know, and if no one else knows then I do have to find out for myself. I now have figured out I need to post the actual security discussions somewhere else and post the "hey dude isn't h4x0r cool!" discussions here.
Go post to a mailing list, most of those with high volume are free and willing to give you the answers to your question. Around here, however, we take the philosophy that people should find their own answers to their question. It's not only a learning experience, but when you find the answer it's much more fulfilling.
Have a nice day.Comment
-
No, not too difficult. Not nearly as difficult as getting across the point of the post. If someone has seen the same traffic and has an idea of the interest in the port and cares to share their experience then great. Instead all the responses are "look it up" as if I hadn't done that prior to posting. I'm not asking someone to help me, not asking someone to do something for me, just wanted to discuss the issue. I agree, there is great value in discovering something on your own when troubleshooting or learning something new. But is this not the place to discuss security issues?Originally posted by highwizard
Is it really so difficult that you can't find the answer on your own, or are you just too lazy to look for it?
Go post to a mailing list, most of those with high volume are free and willing to give you the answers to your question. Around here, however, we take the philosophy that people should find their own answers to their question. It's not only a learning experience, but when you find the answer it's much more fulfilling.
Have a nice day.http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_questionComment
-
I really don't think this is a bad question. Maybe I am misunderstanding the original question, but as far as I can tell he understands that it is an unassigned port, but wanted to know if anyone was aware of a backdoor/trojan/slpoit that specifically targeted/used this port. Seeing as how I too am unfamiliar with anything that uses it, I would be curious as to the answer as well.perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'Comment
-
I am also curious, I tryed to locate a script that attacked that port or a trojan that did, not one that I can find, I am still looking around. My guess is that it is just a port on the portscanners, and as long as you dont have it open, nothing should be effected.Originally posted by Chris
I really don't think this is a bad question. Maybe I am misunderstanding the original question, but as far as I can tell he understands that it is an unassigned port, but wanted to know if anyone was aware of a backdoor/trojan/slpoit that specifically targeted/used this port. Seeing as how I too am unfamiliar with anything that uses it, I would be curious as to the answer as well.~:CK:~
I would like to meet a 1 to keep my 0 company.Comment
-
Originally posted by Chris
I really don't think this is a bad question. Maybe I am misunderstanding the original question, but as far as I can tell he understands that it is an unassigned port, but wanted to know if anyone was aware of a backdoor/trojan/slpoit that specifically targeted/used this port. Seeing as how I too am unfamiliar with anything that uses it, I would be curious as to the answer as well.
It's not that it was a bad question. It's just the fact that querying Mr. Google would result in the best answers. Ironic because of what his signature was/is.
Honestly, from seeing this forum, I would say it isn't the best place to discuss the security issues compared to what is out there. If you are looking for a place to do that, and get real honest to god answers, then I would suggest joining a mailing list - security has good ones.Originally posted by jounin
No, not too difficult. Not nearly as difficult as getting across the point of the post. If someone has seen the same traffic and has an idea of the interest in the port and cares to share their experience then great. Instead all the responses are "look it up" as if I hadn't done that prior to posting. I'm not asking someone to help me, not asking someone to do something for me, just wanted to discuss the issue. I agree, there is great value in discovering something on your own when troubleshooting or learning something new. But is this not the place to discuss security issues?
Furthermore, the answer to your question DOES lay in the security focus archives, it just takes a bit of digging and piecing things together.
I hope my responses were helpful.
Cheers!Comment
-
I'm tired of saying the same, of course I googled. Anyway, cK, I think it's possible it's just a scan, but I'm curious why in my case, and it appears others, there are spikes of attacks on the port. I would think if it were a plain ol' port scan it would hit it, see that it's dead and move on. It just seems that there is a definite purpose to the targeted port.Originally posted by highwizard
It's not that it was a bad question. It's just the fact that querying Mr. Google would result in the best answers. Ironic because of what his signature was/is.http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=replace_with_any_questionComment
Comment