RE: strange logs -- tcp port 16166

["Jerry Shenk" <jshenk () decommunications com>]

That source is in a reserved block of addresses isn't it?  I tried to
traceroute to it from here and 3 hops out, it got ICMP unreachables.  It
seems like this probably isn't related but I've had an address in Japan
hitting on of my boxes for about 6 weeks.  That too started real slow and is
not hitting a couple times an hour.  The source and destination ports are
always the same.  The internal IP address is even an unused one.  There is a
SHADOW IDS installed that grabs all headers - it doesn't show any traffic to
that entire C.

Here's a typical (only thing that changes is the time) log entry from the
edge router that I've been seeing:

Jun 25 00:10:04 list 106 tcp 219.46.246.242(39770) -> xx.xxx.xxx.133(44197),
1 pkt

-----Original Message-----
From: Jiang Peng [mailto:pengf () hotmail com]
Sent: Tuesday, June 24, 2003 11:00 PM
To: incidents () lists securityfocus com
Subject: strange logs -- tcp port 16166


Hi all,

For the last month, I received the following log message continuelly =
from the PIX firewall:

 %PIX-4-106023: Deny tcp src outside:87.104.162.116/64604 dst =
inside:hostname/16166 by access-group "out
side_access_in"

At first, there were only a couple of messages every day, but from last =
week, there are 30-40 messages every day.
All the message has the same source, source port and same destination, =
destination port. The destination is our external DNS server. I checked =
google, but still no idea what kind of services running on port 16166.

Does anyone have any clues for this message?

Thanks,
Jiang

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's
to
"underground" security specialists.  See for yourself what the buzz is
about!
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------