Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP port 5000 syn increasing

From: Andreas <andreas () conectiva com br>
Date: Mon, 17 May 2004 12:31:31 -0300
On Sun, May 16, 2004 at 08:49:06PM -0400, Rohny Jotton wrote:

I'm seeing a large amount of these attempts starting around 1:00 PM EST 
Sunday. They're getting blocked at the edge so I don't have any more info 
than that. I'm seeing about one a second from various hosts/networks.


I'm seeing a lot of these too:

[root@maestro root]# grep DPT=5000 /var/log/messages|wc -l
1110

Examples:
May 16 16:32:22 bach kernel: drop_log_in_ext IN=ppp0 OUT= MAC= SRC=201.3.193.43 DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 
TTL=122 ID=30617 DF PROTO=TCP SPT=4039 DPT=5000 WINDOW=8760 RES=0x00 SYN URGP=0  
May 16 16:40:27 bach kernel: drop_log_in_ext IN=ppp0 OUT= MAC= SRC=200.193.162.104 DST=X.X.X.X LEN=48 TOS=0x00 
PREC=0x00 TTL=127 ID=59239 DF PROTO=TCP SPT=1540 DPT=5000 WINDOW=16384 RES=0x00 SYN URGP=0  
May 16 16:43:12 bach kernel: drop_log_in_ext IN=ppp0 OUT= MAC= SRC=200.255.46.62 DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 
TTL=119 ID=54833 DF PROTO=TCP SPT=3355 DPT=5000 WINDOW=16384 RES=0x00 SYN URGP=0  
May 16 16:43:26 bach kernel: drop_log_in_ext IN=ppp0 OUT= MAC= SRC=200.193.27.31 DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 
TTL=123 ID=14712 DF PROTO=TCP SPT=2046 DPT=5000 WINDOW=65535 RES=0x00 SYN URGP=0

It continues even today

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: