[juneau-lug] Re: port 46252

  • From: Kevin Miller <atftb2@xxxxxxxxxx>
  • To: juneau-lug@xxxxxxxxxxxxx
  • Date: Sun, 11 Dec 2011 20:54:14 -0900

On 12/11/2011 07:20 PM, Jamie wrote:
> For the last 2 or 3 weeks I've been getting periodically hammered from
> some bot-net? trying to get to port 46252.  Can anyone shed any light?
>
> Sample log:
>
> [INFO] Sun Dec 11 19:15:15 2011 Sending log email as log is full
> [INFO] Sun Dec 11 19:15:15 2011 Blocked incoming TCP connection request from 
> 221.218.175.38:53511 to 24.237.5.24:46252
...

Kind of an odd port to be scanning since it's unassigned.  Perhaps 
they're trying some sort of man in the middle attack, and figuring that 
perhaps there's a random listening port open that just happens to be 
46252?  When you go to the web, say, you open a connection on 80, but 
your box will pick a random unassigned port for the web server to reply 
on.  If that port is open maybe the bad guys are trying to exploit that. 
  Normally the attempt would be ignored since the source IP of the 
inbound packet doesn't match the connection established w/the legitimate 
web server, but maybe they have some exploit.  Just a guess of course.

You must be getting hammered if your log is filling up faster than 
logrotate cleans it out.  You might want to drop log rotate into 
cron.hourly instead of cron.daily until the storm passes...

...Kevin
-- 
Kevin Miller - http://www.alaska.net/~atftb
Juneau, Alaska
In a recent survey, 7 out of 10 hard drives preferred Linux
Registered Linux User No: 307357, http://linuxcounter.net
------------------------------------
The Juneau Linux Users Group -- http://www.juneau-lug.org
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

Other related posts:

  1. Home
  2. juneau-lug
  3. Archive
  4. 12-2011