Odd port numbers (Blaster?)

Discussion in 'NZ Computing' started by Mainlander, Aug 16, 2003.

  1. Mainlander

    Mainlander Guest

    Extract from ZA logs
    210.246.0.0 - 210.246.63.255 registered to TelstraClear NZ Ltd

    What services use these odd port numbers?

    FWIN,2003/08/16,11:36:44 +12:00
    GMT,210.246.0.217:4165,210.246.24.9:135,TCP (flags:S)
    FWIN,2003/08/16,11:37:33 +12:00
    GMT,210.246.20.235:2337,210.246.24.9:135,TCP (flags:S)
    FWIN,2003/08/16,11:43:25 +12:00
    GMT,210.246.0.64:3595,210.246.24.9:135,TCP (flags:S)
    FWIN,2003/08/16,11:48:30 +12:00 GMT,210.246.6.5:3933,210.246.24.9:135,TCP
    (flags:S)
    FWIN,2003/08/16,11:48:41 +12:00
    GMT,210.246.20.222:2160,210.246.24.9:135,TCP (flags:S)
    FWIN,2003/08/16,12:58:20 +12:00
    GMT,210.246.4.16:2582,210.246.24.220:135,TCP (flags:S)
    FWIN,2003/08/16,12:58:58 +12:00
    GMT,210.246.2.96:4514,210.246.24.220:135,TCP (flags:S)
    FWIN,2003/08/16,12:59:02 +12:00
    GMT,210.246.6.57:2059,210.246.24.220:135,TCP (flags:S)
    FWIN,2003/08/16,13:03:00 +12:00
    GMT,210.246.27.52:3728,210.246.24.220:135,TCP (flags:S)
    FWIN,2003/08/16,13:08:08 +12:00
    GMT,210.246.24.91:1025,210.246.24.220:137,UDP
    FWIN,2003/08/16,13:18:31 +12:00
    GMT,210.246.20.60:2300,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:28:58 +12:00
    GMT,210.246.12.178:4581,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:31:29 +12:00
    GMT,210.246.8.100:1455,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:35:35 +12:00
    GMT,210.54.77.161:3307,210.246.24.159:3176,TCP (flags:S)
    FWIN,2003/08/16,13:37:20 +12:00
    GMT,210.246.0.4:4041,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:37:22 +12:00
    GMT,210.246.12.99:4483,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:41:05 +12:00
    GMT,210.54.77.161:3564,210.246.24.159:3176,TCP (flags:S)
    FWIN,2003/08/16,13:45:47 +12:00
    GMT,210.246.6.245:2864,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:50:26 +12:00
    GMT,210.246.16.231:3605,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,13:55:21 +12:00
    GMT,210.246.16.120:3353,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,14:00:59 +12:00
    GMT,210.246.4.228:2666,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,14:05:26 +12:00
    GMT,210.246.12.29:4399,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,14:10:27 +12:00
    GMT,210.246.8.229:1549,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,14:13:09 +12:00
    GMT,210.246.20.208:3399,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,14:13:11 +12:00
    GMT,172.132.20.96:1844,210.246.24.159:17300,TCP (flags:S)
    FWIN,2003/08/16,14:16:36 +12:00
    GMT,210.246.2.106:3477,210.246.24.159:135,TCP (flags:S)
    FWIN,2003/08/16,15:17:31 +12:00
    GMT,218.84.122.151:4458,210.246.27.98:445,TCP (flags:S)
    FWIN,2003/08/16,15:19:39 +12:00
    GMT,210.246.20.167:4995,210.246.27.98:135,TCP (flags:S)
    FWIN,2003/08/16,15:20:26 +12:00
    GMT,210.246.0.16:2371,210.246.27.98:135,TCP (flags:S)
    FWIN,2003/08/16,15:23:25 +12:00
    GMT,210.246.20.224:4937,210.246.27.98:135,TCP (flags:S)
    FWIN,2003/08/16,15:23:30 +12:00
    GMT,210.246.12.41:1537,210.246.27.98:135,TCP (flags:S)
    FWIN,2003/08/16,15:32:58 +12:00
    GMT,172.128.63.227:4657,210.246.24.197:17300,TCP (flags:S)
    FWIN,2003/08/16,15:34:09 +12:00
    GMT,217.227.99.235:26142,210.246.24.197:4662,TCP (flags:S)
    FWIN,2003/08/16,15:34:25 +12:00
    GMT,211.74.7.29:3249,210.246.24.197:4662,TCP (flags:S)
    FWIN,2003/08/16,15:34:48 +12:00
    GMT,217.227.99.235:26206,210.246.24.197:4662,TCP (flags:S)
    FWIN,2003/08/16,15:35:04 +12:00
    GMT,211.74.7.29:3369,210.246.24.197:4662,TCP (flags:S)
    FWIN,2003/08/16,15:35:31 +12:00
    GMT,217.227.99.235:26318,210.246.24.197:4662,TCP (flags:S)
    FWIN,2003/08/16,15:35:48 +12:00
    GMT,211.74.7.29:3551,210.246.24.197:4662,TCP (flags:S)
    FWIN,2003/08/16,15:36:56 +12:00
    GMT,210.246.6.54:2004,210.246.24.197:135,TCP (flags:S)
    FWIN,2003/08/16,18:03:54 +12:00
    GMT,210.246.20.37:3005,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:03:57 +12:00
    GMT,210.246.6.155:2819,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:14:40 +12:00
    GMT,210.246.12.188:4958,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:18:55 +12:00
    GMT,210.246.6.208:2752,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:20:32 +12:00
    GMT,210.246.16.42:4099,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:20:54 +12:00
    GMT,61.243.67.219:4207,210.246.27.5:445,TCP (flags:S)
    FWIN,2003/08/16,18:23:16 +12:00
    GMT,210.246.27.28:1026,210.246.27.5:137,UDP
    FWIN,2003/08/16,18:23:16 +12:00
    GMT,210.246.27.28:1025,210.246.27.5:137,UDP
    FWIN,2003/08/16,18:23:17 +12:00
    GMT,210.246.27.28:1027,210.246.27.5:137,UDP
    FWIN,2003/08/16,18:33:47 +12:00
    GMT,210.246.4.248:3439,210.246.27.5:80,TCP (flags:S)
    FWIN,2003/08/16,18:41:22 +12:00
    GMT,210.246.6.188:3551,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:42:12 +12:00
    GMT,65.35.106.149:3269,210.246.27.5:17300,TCP (flags:S)
    FWIN,2003/08/16,18:42:32 +12:00
    GMT,210.246.4.104:3293,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,18:43:52 +12:00
    GMT,210.246.16.172:4220,210.246.27.5:135,TCP (flags:S)
    FWIN,2003/08/16,22:02:08 +12:00
    GMT,210.246.8.197:3807,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:19:46 +12:00
    GMT,210.246.16.175:3673,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:21:09 +12:00
    GMT,61.151.238.150:19112,210.246.24.248:21,TCP (flags:S)
    FWIN,2003/08/16,22:21:15 +12:00
    GMT,24.49.78.105:2456,210.246.24.248:17300,TCP (flags:S)
    FWIN,2003/08/16,22:24:25 +12:00
    GMT,210.246.8.248:1682,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:29:11 +12:00
    GMT,210.246.24.216:1048,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:32:58 +12:00
    GMT,210.246.16.152:3481,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:37:24 +12:00
    GMT,210.246.2.248:3081,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:38:04 +12:00
    GMT,210.246.6.93:2286,210.246.24.248:135,TCP (flags:S)
    FWIN,2003/08/16,22:49:05 +12:00
    GMT,63.209.100.167:3294,210.246.24.157:1433,TCP (flags:S)
    FWIN,2003/08/16,22:49:20 +12:00
    GMT,210.246.2.94:3470,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,22:52:03 +12:00
    GMT,210.246.27.37:3990,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,22:53:06 +12:00
    GMT,210.246.0.155:3824,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,22:56:47 +12:00
    GMT,210.246.16.254:3277,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,22:57:56 +12:00
    GMT,210.246.0.1:2784,210.246.24.157:80,TCP (flags:S)
    FWIN,2003/08/16,23:00:51 +12:00
    GMT,210.246.16.231:3392,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:01:47 +12:00
    GMT,210.246.2.78:3150,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:11:22 +12:00
    GMT,210.246.24.18:4626,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:11:23 +12:00
    GMT,61.123.224.81:1745,210.246.24.157:80,TCP (flags:S)
    FWIN,2003/08/16,23:11:28 +12:00
    GMT,210.246.2.213:3106,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:31:26 +12:00
    GMT,210.246.4.181:2870,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:36:13 +12:00
    GMT,210.246.6.46:2145,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:40:51 +12:00
    GMT,210.246.16.139:3325,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:42:56 +12:00
    GMT,202.109.122.21:51096,210.246.24.157:445,TCP (flags:S)
    FWIN,2003/08/16,23:46:54 +12:00
    GMT,210.246.20.23:4238,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:47:20 +12:00
    GMT,210.246.20.102:4273,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:48:56 +12:00
    GMT,210.246.20.179:2493,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:52:37 +12:00
    GMT,210.246.12.161:4505,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:54:46 +12:00
    GMT,210.246.27.6:3155,210.246.24.157:135,TCP (flags:S)
    FWIN,2003/08/16,23:56:36 +12:00
    GMT,210.246.4.179:2472,210.246.24.157:80,TCP (flags:S)
    FWIN,2003/08/17,00:07:46 +12:00
    GMT,61.33.238.48:2861,210.246.24.121:139,TCP (flags:S)
     
    Mainlander, Aug 16, 2003
    #1
    1. Advertising

  2. Mainlander

    T.N.O Guest

    "Mainlander" wrote
    | What services use these odd port numbers?

    135 is blaster... the rest can be found using my mate google, try searching
    for something like network port classification or maybe drop network and use
    TCP
     
    T.N.O, Aug 16, 2003
    #2
    1. Advertising

  3. Mainlander

    Jason M Guest

    On Sun, 17 Aug 2003 00:14:08 +1200, Mainlander <*@*.*> wrote:

    >Extract from ZA logs
    >210.246.0.0 - 210.246.63.255 registered to TelstraClear NZ Ltd
    >
    >What services use these odd port numbers?
    >
    >FWIN,2003/08/16,11:36:44 +12:00
    >GMT,210.246.0.217:4165,210.246.24.9:135,TCP (flags:S)


    Most of them are other TelstraClear customers with the first half of
    their IP address the same as yours (210.246.x.x), infected with
    Blaster and accessing your port 135. I'm getting the same thing here.

    I'm also getting lots of the port 445 and 17300 TCPs, maybe that's
    some other nasty worm starting up.
     
    Jason M, Aug 16, 2003
    #3
  4. Mainlander

    Enkidu Guest

    On Sun, 17 Aug 2003 00:14:08 +1200, Mainlander <*@*.*> wrote:

    >Extract from ZA logs
    >210.246.0.0 - 210.246.63.255 registered to TelstraClear NZ Ltd
    >
    >What services use these odd port numbers?
    >
    >FWIN,2003/08/16,11:36:44 +12:00
    >GMT,210.246.0.217:4165,210.246.24.9:135,TCP (flags:S)
    >FWIN,2003/08/16,11:37:33 +12:00
    >GMT,210.246.20.235:2337,210.246.24.9:135,TCP (flags:S)
    >FWIN,2003/08/16,11:43:25 +12:00
    >GMT,210.246.0.64:3595,210.246.24.9:135,TCP (flags:S)
    >FWIN,2003/08/16,11:48:30 +12:00 GMT,210.246.6.5:3933,210.246.24.9:135,TCP
    >(flags:S)


    These are ZA logs? OK, I guess FWIN is "Firewall in", so assume an
    incoming. Assuming that 210.246.0.217:4165 is the source address it is
    an incoming packet from 210.246.0.217. The port is a high port number
    and the address (210.246.24.9) is for the return packet. The return
    address is also using some random high order port. eg if you connect
    to 210.xx.xx.xx:80 the packet will have a source of
    <yourIPaddress>:<somehighport>. This is all normal behaviour.

    The 210.246.24.9:135 is then the target address, your address, and the
    port is 135. The flag is presumably S for Session Setup. It may be
    blaster.

    Your address appears to have changed several times in this listing.
    Are you on dialup?

    There's an odd strange one or two. eg this one is a setup on port
    17300. Almost certainly someone trying random ports.
    FWIN,2003/08/16,22:21:15 +12:00
    GMT,24.49.78.105:2456,210.246.24.248:17300,TCP (flags:S)

    This one might be a Code Red attempt or any other http exploit..
    GMT,210.246.0.1:2784,210.246.24.157:80,TCP (flags:S)
    FWIN,2003/08/16,23:00:51 +12:00

    There's a few other that I recognise,but it all looks like the usual
    noise that you get these days.

    Cheers,

    Cliff
    --

    Signed and sealed with Great Seal of the Executive
    Council of the Internet, by The Master of The Net.
     
    Enkidu, Aug 17, 2003
    #4
  5. Mainlander

    Jason M Guest

    On Sun, 17 Aug 2003 12:02:52 +1200, Enkidu <> wrote:

    >There's an odd strange one or two. eg this one is a setup on port
    >17300. Almost certainly someone trying random ports.
    >FWIN,2003/08/16,22:21:15 +12:00
    >GMT,24.49.78.105:2456,210.246.24.248:17300,TCP (flags:S)


    I don't think that port 17300 is random.
    I've had 59 accesses to port :17300 in the last day, all from
    different addresses all over the world.
     
    Jason M, Aug 17, 2003
    #5
  6. Mainlander

    Jason M Guest

    On Sun, 17 Aug 2003 01:34:29 GMT, (Gavin Tunney)
    wrote:

    >On Sun, 17 Aug 2003 00:49:40 GMT, (Jason M)
    >wrote:
    >
    >>On Sun, 17 Aug 2003 12:02:52 +1200, Enkidu <> wrote:
    >>
    >>>There's an odd strange one or two. eg this one is a setup on port
    >>>17300. Almost certainly someone trying random ports.
    >>>FWIN,2003/08/16,22:21:15 +12:00
    >>>GMT,24.49.78.105:2456,210.246.24.248:17300,TCP (flags:S)

    >>
    >>I don't think that port 17300 is random.
    >>I've had 59 accesses to port :17300 in the last day, all from
    >>different addresses all over the world.

    >
    >Google is your friend Jason, a search for "TCP port 17300" gives all
    >the answers you need. Looks to be a trojan called kuang2 & various
    >other aliases.......


    That also explains all the accesses of my port 445 then. (Trojan
    ocxdll.exe)
     
    Jason M, Aug 17, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CCGolfer
    Replies:
    0
    Views:
    4,036
    CCGolfer
    Jun 8, 2004
  2. Chuck

    Odd Port 135 Probes?

    Chuck, Jan 22, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    550
    NeoSadist
    Jan 22, 2004
  3. mort

    Frame Numbers vs. JPEG Numbers With CF Cards

    mort, Feb 14, 2005, in forum: Digital Photography
    Replies:
    3
    Views:
    630
  4. Breedo

    Re: Numbers and more numbers...

    Breedo, Dec 2, 2005, in forum: A+ Certification
    Replies:
    0
    Views:
    574
    Breedo
    Dec 2, 2005
  5. Linda

    Re: Numbers and more numbers...

    Linda, Dec 2, 2005, in forum: A+ Certification
    Replies:
    1
    Views:
    570
    Tom MacIntyre
    Dec 3, 2005
Loading...

Share This Page