Sheetrock's Journal: Summary of unsolicited TCP/IP traffic over last month

Notes:
Common inbound ports such as telnet, SMTP, pop3, and http are filtered out by my ISP to prevent giving me too much value for my money and therefore are not represented in this list. Ports receiving fewer than ten packets are not listed. "Attempts" are likely inflated because connections may be tried more than once by the same IP address at the same time (tool- or protocol-related retries).

Attempts, Protocol, Port
12352, UDP, 1026
6377, UDP, 1027
Windows messenger spam attempts.

2344, UDP, 68
bootpd/dhcp. Background network config stuff usually seen on broadband connections or in corporate network environments. In my case this all looks legit.

1813, UDP, 6970
RealPlayer/Quicktime trying and failing to use UDP as a network transport. It transparently switches to TCP after failing a UDP connection, which seems to work just fine for BBC World Service.

442, TCP, 1433
324, UDP, 1434
Microsoft SQL server exploit traffic.

121, TCP, 4899
radmin (a remote administration tool) listens here. I don't know if the interest is in exploit-related access or brute force access. I've heard some worms will install radmin, and others try to get in existing installations using weak passwords.

119, UDP, 6346
Gnutella? I fired that up like two years ago and I'm still getting scans here. Someone needs to clear their cache.

110, TCP, 22
SSH. No doubt connected to the automated brute force dictionary attacks mentioned recently. This got scanned before that too, probably folks looking for an old exploitable version.

51, TCP, 10000
Supposedly there's been an increase in scans for this after the Veritas Backup Exec exploit came out. Two other programs that use this port are Zabbix (an open source network monitoring solution) and Webmin (a web-based system adminstration interface.)

42, TCP, 3306
MySQL. I doubt good intentions are behind this scan.

40, TCP, 9898
The Sasser worm will leave an FTP server open on this port. The Dabber worm will exploit a vulnerability in the server opened by the Sasser worm to spread.

35, UDP, 33437
Traceroute makes use of this port. All of these attempts came from two IP addresses belonging to the same company. Some websites are using a service where they distribute their content to different servers around the world and when you request content from them you are directed to the server with the lowest latency or something. I'm a bit curious how they figure this out with only one server pinging me though.

34, TCP, 2100
Oracle 9i XDB FTP service exploit.

33, TCP, 1023
The Sasser.E worm drops an FTP server here.

33, TCP, 5554
The Sasser worm drops an FTP server here.

33, UDP, 161
SNMP (Simple Network Management Protocol). Sometimes this will give interesting information.

31, UDP, 1381
Apple Network License Manager. I have no idea what the interest here is.

22, TCP, 57
A Google search was unclear on what this was about ("any private terminal access") but I note with interest that there is an obscure Cisco configuration item called "ip tcp async-mobility server" that will listen on this port. I'm thinking about hooking up a dummy TCP server that
completes the connection and logs everything to a file.

20, UDP, 1028
Might be more Windows Messenger spam, or an obscure trojan exploit attempt. The same IP address is scanning 1026-1029 UDP.

19, TCP, 6101
According to an entry at SANS, a scan for the Veritas Backup Exec exploit.

18, TCP, 3128
Squid webproxy. Some schlubs scanning for open proxies I imagine. One of the schlubs happens to be our very own slashdot.org.

16, TCP, 2745
Backdoor port installed by Bagle virus variants.

15, TCP, 3127
Backdoor port installed by the MyDoom virus.

14, TCP, 444
Webproxy address. Slashdot scanned this one too.

14, TCP, 42
Microsoft networking scan (WINS).

14, UDP, 1029
More people abusing Windows Messenger, probably.

13, TCP, 81
13, TCP, 8000
Webproxy addresses. Slashdot scans again.

12, TCP, 6129
Dameware remote management tool exploit.

12, UDP, 33439
This seems related to the 33437 scans above.

11, TCP, 1025
Microsoft RPC/LSA exploit attempts?

10, TCP, 4000
The Skydance trojan can run here, as well as a Diablo II Closed Game server (which was vulnerable to DoS years ago, though why people would scan for
games to ruin is beyond me.)

10, UDP, 123
Network Time Protocol. Neither IP address checking for this appears to be a known NTP server as far as Google goes.

Gnutella

[Doctor O]

Interesting list, I should assemble something like that for our company network too. :)

As for Gnutella - it's not people with outdated caches, it's part of the protocol. In the old times, Gnutella clients which didn't come with a host list (either online or offline) started by sending packets to random addresses in the hope of finding another Gnutella client to connect to and ask for other peers. It might be that even modern clients still do it in addition to using the standard host lists in order to find

Re:Gnutella

[Sheetrock]

I'm thinking it's a little of column A, a little of column B. Two hosts seemed to give it one try and realize there's nothing there, two hosts tried four or five connections over as many days, and three were checking for a server every two to five minutes over a day or so.

I'm thinking this would be another good port for a honeypot of some sort (accept connections, log searches and versions of connected clients, relay and return no results). I'd like to see what these transient connections are looking fo