Port ID

... so out of all the stuff you found on google, nothing satisfied your curiosity? I did a quick search and found reports of code red / nimda scans on that port, as well as firewall configurations that would appear on that port...

Yeah, I see 2154 as the source port for some nimda/code red attacks but the target port is 80. Do you think it's mutated and now hammering occasionally on 2154?

No. My posts were never intended to say that the question was bad; my posts did not say that. In fact, it is nice to see someone posting in the Computer Security thread, with an appropriate topic for the thread. And you can be assured that I have no delusion of 1337ness.

My posts were a direct response to the asshat attitude that you received responses with. Seriously, it reaked of heavy ass stench, and it still does. You have asked a general question, an intriguing one, but a general one. You have received a general answer and become totally pissed off about it. But enough of that petty stuff...

To this point, you still have not even provided more details about the environment you're experiencing this oddity in... For all we know it could be a firewall config, you could have nimda on your box, or you could be running an asclock applet that listens on that port. or it could be half a million other things configured for that port... or you could be reading your logs incorrectly, or some random person / port scanner could have that port configured in its list, or who knows what

bottom line: details chap, details

Things we know:

I have been querying my firewall logs and there were numerous attempts from some assclown (24.130.140.110) on TCP 2154.

and,

I did a quick search and found reports of code red / nimda scans on that port...

and,

Yeah, I see 2154 as the source port for some nimda/code red attacks but the target port is 80. Do you think it's mutated and now hammering occasionally on 2154?


My guess from reading the above posts is that someone is trying to launch a nimda/code-red type of attack at 24.130.140.110, and is spoofing their source with your address (though I don't think these viruses have a defined source port). Are the packets you're logging SYN or SYN,ACK?

Actually, you're right. I was extremely defensive in my reaction to skroo's condescending reply and it escalated from there. I'm over it, hope everyone else is as well.
Details:
1. firewall is working properly, I test frequently for accuracy.
2. nimda is not on anything behind the firewall (yes, I've checked.)
3. asclock applet is not active
4. reading the log is not an issue
5. this particular firewall does not have any ports allowed from the outside.
SYN
The source ports are all over the map so there's not much to report about that. Literally, for 100 attacks there are 99 different source ports. Also, there are more attacking IP's than the one mentioned earlier, it's the biggest offender so far, and the other IPs are from various ISPs/orgs.

Have you ascertained what OS is running on the source IPs as well as what the role of those IP addresses (dialup pool, DSL pool, ISP internal, hosting pool, etc.) are?

All of the ips are from dynamic customer pools of the ISPs: AOL, SBC, Verizon, Telefonica, UUNET, Nitelog/Redshift, and AT&T. Some are from dialup and some are from DSL. As far as the OSs, my guess is that most of these are M$ because they are individual dialup/DSL pool addresses, but it's too late to confirm on the dialup ips and probably the DSL because they were dynamic.

Fair point. Without traffic captures it's hard to do anything in retrospect, but given what you're seeing the Nimda/Code Red explanation sounds like the most reasonable.

Option 2 is that it may be some other distributed application - filesharing client, spyware, etc. Not unusual for the night shift to set my pager off because the IDS has just had a massive false positive over some AIM client scanning for a port it can get out to the internet on.

I'm thinking you're right. It does appear to be some client that is crawling for this port and P2P or a worm seems to be the closest match. I don't think it's code red but may be nimda or another worm looking for the next conquest. Thanks for the input!