Sheetrock's Journal: Summary of unsolicited TCP/IP traffic over last month

Notes: Thought I'd do this again to see what's changed since last month. Common inbound ports such as telnet, SMTP, pop3, and http are filtered out by my ISP to prevent giving me too much value for my money and therefore are not represented in this list. Ports receiving fewer than ten packets are not listed. "Attempts" are likely inflated because connections may be tried more than once by the same IP address at the same time (tool- or protocol-related retries). All descriptions are my best guess (forgot to mention this last time.)

Attempts, Protocol, Port
18726, UDP, 1026
15764, UDP, 1027
Windows messenger spam attempts.

1412, UDP, 68
bootpd/dhcpd. Expected and probably legit.

449, UDP, 1434
427, TCP, 1433
Microsoft SQL server exploit traffic.

360, TCP, 42
Microsoft networking scan (WINS) -- almost 26 times the traffic last month. The reason, I think, is a misconfiguration by a budding Windows administrator (well, the second if he's not properly blocking Windows traffic at his border firewall.)

223, UDP, 1028
216, UDP, 1029
More Windows messenger spam attempts?

193, UDP, 6970
RealPlayer/Quicktime trying and failing to use UDP as a network transport. Expected and probably legit.

136, TCP, 4899
radmin (a remote administration tool) listens here. I don't know if the interest is in exploit-related access or brute force access. I've heard some worms will install radmin, and others try to get in existing installations using weak passwords.

115, UDP, 33437
Traceroute, or routing optimization. Probably legit.

100, TCP, 22
SSH.

84, TCP, 10000
Veritas Backup Exec? Zabbix? Webmin?

51, TCP, 2100
Oracle 9i XDB FTP service exploit.

47, TCP, 3306
MySQL.

31, TCP, 57
More probes for an obscure Cisco service. Again, I'm thinking it'd be interesting to hook something up to this port to see what's what.

30, TCP, 9898
Scans for a FTP server the Sasser worm will run on an infected system.

28, TCP, 3127
Backdoor port installed by the MyDoom virus.

27, TCP, 1023
The Sasser.E worm drops an FTP server here.

27, TCP, 3128
Squid webproxy. Slashdot scans.

27, TCP, 5554
The Sasser worm drops an FTP server here.

23, TCP, 8000
Webproxy. Slashdot scans.

22, UDP, 33435
Routing optimization.

21, TCP, 444
Webproxy. Slashdot scans.

19, TCP, 81
Webproxy. Slashdot scans.

19, TCP, 3124
Webproxy. Slashdot scans.

18, TCP, 111
RPC portmapper for Unix/Linux/BSD/etc. type systems. Oldschool attack vector, but I don't know what they're looking for now.

17, TCP, 3389
Remote Desktop Protocol. Someone mentioned a potential exploit on SANS in mid-July, but traffic isn't up much from last month.

17, TCP, 22826
I don't know what this is about.

17, TCP, 6101
According to an entry at SANS, a scan for the Veritas Backup Exec exploit.

17, UDP, 6346
More Gnutella. I dumped the packets this time; they're validly-formed Gnutella PING packets containing extended data that looks like a nickname field. Looks like two people checking from four hosts. I thought Gnutella clients were TCP but gtk-gnutella at least has offered UDP connectivity since November last year. Still don't know why the same machines keep scanning mine but maybe they're building a host cache (which is used by Gnutella clients as a starting point to join the network.)

12, UDP, 33439
Routing optimization.

11, TCP, 3382
Webproxy. Slashdot scans.

11, TCP, 6129
Dameware remote management tool exploit.

11, TCP, 5900
VNC (remote desktop tool).

10, TCP, 7032
Webproxy. Slashdot scans.

10, TCP, 2578
Webproxy. Slashdot scans.

10, TCP, 8081
Webproxy. Slashdot scans.

10, TCP, 8090
Webproxy. Slashdot scans.

10, TCP, 1026
Webproxy. Slashdot scans.

10, TCP, 8002
Webproxy. Slashdot scans.

10, TCP, 6588
Webproxy. Slashdot scans.

RAM

[Sheetrock]

No. But responses like this [slashdot.org] make even failures worthwhile.