Security Incidents mailing list archives

TCP Scans to port 21656

From: grauf () RFA ORG (Federico Grau)
Date: Fri, 2 Jun 2000 15:31:32 -0400

Hello people,

There has been an unusual amount of scans on our firewalls to tcp port
21656 from various DSL and cable users in the Washington DC metropolitan
area.  I checked my port references and found nothing there:
  http://www.isi.edu/in-notes/iana/assignments/port-numbers
  http://www.onctek.com/trojanports.html

donfede

log snaps:

Jun  2 11:09:57 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2486 x.x.x.x:21656 L=48 S=0x00 
I=39062 F=0x4000 T=117 SYN (#26)
Jun  2 11:09:57 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 128.95.49.208:2729 x.x.x.x:21656 L=48 S=0x00 
I=4694 F=0x4000 T=114 SYN (#26)
Jun  2 11:10:00 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2486 x.x.x.x:21656 L=48 S=0x00 
I=39063 F=0x4000 T=117 SYN (#26)
Jun  2 11:10:00 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 128.95.49.208:2729 x.x.x.x:21656 L=48 S=0x00 
I=25430 F=0x4000 T=114 SYN (#26)
Jun  2 11:10:06 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2486 x.x.x.x:21656 L=48 S=0x00 
I=39067 F=0x4000 T=117 SYN (#26)
Jun  2 11:10:06 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 128.95.49.208:2729 x.x.x.x:21656 L=48 S=0x00 
I=41558 F=0x4000 T=114 SYN (#26)
Jun  2 11:10:11 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3115 x.x.x.x:21656 L=48 S=0x00 
I=61101 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:11 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3122 x.x.x.x:21656 L=48 S=0x00 
I=61357 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:14 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3122 x.x.x.x:21656 L=48 S=0x00 
I=62637 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:14 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3115 x.x.x.x:21656 L=48 S=0x00 
I=62893 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:18 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 128.95.49.208:2729 x.x.x.x:21656 L=48 S=0x00 
I=65367 F=0x4000 T=114 SYN (#26)
Jun  2 11:10:20 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3122 x.x.x.x:21656 L=48 S=0x00 
I=174 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:20 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3115 x.x.x.x:21656 L=48 S=0x00 
I=430 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:32 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3122 x.x.x.x:21656 L=48 S=0x00 
I=6318 F=0x4000 T=115 SYN (#26)
Jun  2 11:10:32 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.122.2:3115 x.x.x.x:21656 L=48 S=0x00 
I=6574 F=0x4000 T=115 SYN (#26)
Jun  2 11:11:34 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2494 x.x.x.x:21656 L=48 S=0x00 
I=39245 F=0x4000 T=117 SYN (#26)
Jun  2 11:11:37 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2494 x.x.x.x:21656 L=48 S=0x00 
I=39249 F=0x4000 T=117 SYN (#26)
Jun  2 11:11:43 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2494 x.x.x.x:21656 L=48 S=0x00 
I=39259 F=0x4000 T=117 SYN (#26)
Jun  2 11:20:03 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2499 y.y.y.y:21656 L=48 S=0x00 
I=39882 F=0x4000 T=117 SYN (#26)
Jun  2 11:20:06 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2499 y.y.y.y:21656 L=48 S=0x00 
I=39887 F=0x4000 T=117 SYN (#26)
Jun  2 11:20:12 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2499 y.y.y.y:21656 L=48 S=0x00 
I=39888 F=0x4000 T=117 SYN (#26)
Jun  2 11:49:35 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.112.71:1096 y.y.y.y:21656 L=48 S=0x00 
I=28929 F=0x4000 T=114 SYN (#26)
Jun  2 11:49:38 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.112.71:1096 y.y.y.y:21656 L=48 S=0x00 
I=31745 F=0x4000 T=114 SYN (#26)
Jun  2 11:49:44 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.112.71:1096 y.y.y.y:21656 L=48 S=0x00 
I=32513 F=0x4000 T=114 SYN (#26)
Jun  2 11:49:56 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 168.70.112.71:1096 y.y.y.y:21656 L=48 S=0x00 
I=32769 F=0x4000 T=114 SYN (#26)
Jun  2 12:24:04 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2587 y.y.y.y:21656 L=48 S=0x00 
I=44026 F=0x4000 T=117 SYN (#26)
Jun  2 12:24:07 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2587 y.y.y.y:21656 L=48 S=0x00 
I=44032 F=0x4000 T=117 SYN (#26)
Jun  2 12:24:13 FIREWALL2 kernel: Packet log: input REJECT eth1 PROTO=6 216.164.62.118:2587 y.y.y.y:21656 L=48 S=0x00 
I=44035 F=0x4000 T=117 SYN (#26)
Jun  2 12:53:57 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:3792 x.x.x.x:21656 L=48 S=0x00 
I=4313 F=0x4000 T=117 SYN (#26)
Jun  2 12:54:00 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:3792 x.x.x.x:21656 L=48 S=0x00 
I=4314 F=0x4000 T=117 SYN (#26)
Jun  2 12:54:06 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:3792 x.x.x.x:21656 L=48 S=0x00 
I=4315 F=0x4000 T=117 SYN (#26)
Jun  2 12:54:32 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:3793 x.x.x.x:21656 L=48 S=0x00 
I=4320 F=0x4000 T=117 SYN (#26)
Jun  2 12:54:35 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:3793 x.x.x.x:21656 L=48 S=0x00 
I=4321 F=0x4000 T=117 SYN (#26)
Jun  2 12:54:41 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:3793 x.x.x.x:21656 L=48 S=0x00 
I=4322 F=0x4000 T=117 SYN (#26)
Jun  2 13:51:31 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 161.253.227.157:1077 x.x.x.x:21656 L=44 S=0x00 
I=62979 F=0x4000 T=19 SYN (#26)
Jun  2 13:51:35 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 161.253.227.157:1077 x.x.x.x:21656 L=44 S=0x00 
I=64003 F=0x4000 T=19 SYN (#26)
Jun  2 13:51:41 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 161.253.227.157:1077 x.x.x.x:21656 L=44 S=0x00 
I=64259 F=0x4000 T=19 SYN (#26)
Jun  2 13:51:54 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 161.253.227.157:1077 x.x.x.x:21656 L=44 S=0x00 
I=64771 F=0x4000 T=19 SYN (#26)
Jun  2 13:53:19 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4346 x.x.x.x:21656 L=48 S=0x00 
I=9100 F=0x4000 T=117 SYN (#26)
Jun  2 13:53:22 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4346 x.x.x.x:21656 L=48 S=0x00 
I=9102 F=0x4000 T=117 SYN (#26)
Jun  2 13:53:40 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4350 x.x.x.x:21656 L=48 S=0x00 
I=9128 F=0x4000 T=117 SYN (#26)
Jun  2 13:53:43 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4350 x.x.x.x:21656 L=48 S=0x00 
I=9129 F=0x4000 T=117 SYN (#26)
Jun  2 13:53:49 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4350 x.x.x.x:21656 L=48 S=0x00 
I=9148 F=0x4000 T=117 SYN (#26)
Jun  2 13:54:12 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4354 x.x.x.x:21656 L=48 S=0x00 
I=9158 F=0x4000 T=117 SYN (#26)
Jun  2 13:54:15 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4354 x.x.x.x:21656 L=48 S=0x00 
I=9163 F=0x4000 T=117 SYN (#26)
Jun  2 13:54:21 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4354 x.x.x.x:21656 L=48 S=0x00 
I=9164 F=0x4000 T=117 SYN (#26)
Jun  2 13:55:33 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4358 x.x.x.x:21656 L=48 S=0x00 
I=9187 F=0x4000 T=117 SYN (#26)
Jun  2 13:55:36 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4358 x.x.x.x:21656 L=48 S=0x00 
I=9188 F=0x4000 T=117 SYN (#26)
Jun  2 13:55:42 FIREWALL1 kernel: Packet log: input REJECT eth1 PROTO=6 151.200.20.201:4358 x.x.x.x:21656 L=48 S=0x00 
I=9189 F=0x4000 T=117 SYN (#26)
Current thread:

Re: afs3 exploit?? Cold Fire (May 30)
- Re: afs3 exploit?? Charles Clancy (Jun 01)
  - Re: afs3 exploit?? Sebastian Ip (Jun 02)
  - TCP Scans to port 21656 Federico Grau (Jun 02)