ScoobyNet.com - Subaru Enthusiast Forum

Notices
Computer & Technology Related Post here for help and discussion of computing and related technology. Internet, TVs, phones, consoles, computers, tablets and any other gadgets.

Any idea what uses these ports??

Thread Tools
 
Search this Thread
 
Old 07 March 2003, 02:56 PM
  #1  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
Should have said (for those of you that don't know the log format, the bit before the (blocked site) is the port i am on about - i.e. 33832

Jul 3 15:03:57
1 hostile_site event occured.
---
Protocol: udp
Source IP Address: 61.61.120.142
Source Port: 2538
Destination IP Address: 62.173.***.***
Destination Port: 33861
Network Interface: eth0
TTL: 104
Firebox: "94.0.0.199" at 94.0.0.199

WatchGuard Handling Information:

Notifier: hostile_site
Disposition: deny

---
Andy

[Edited by SiDHEaD - 7/3/2003 3:00:18 PM]
SiDHEaD is offline  
Reply Like
Old 07 March 2003, 03:43 PM
  #2  
rogp
Scooby Regular
 
rogp's Avatar
 
Join Date: Mar 2003
Posts: 455
Likes: 0
Received 0 Likes on 0 Posts
Post
Ignore me, getting my IP's confused!

Could it be a file sharing app or something?

Roger

[Edited by rogp - 7/3/2003 3:44:04 PM]
rogp is offline  
Reply Like
Old 07 March 2003, 04:14 PM
  #3  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
Its lots and lots of different IPs. About 15/min. Could it be anything to do with halflife or the like??

Its not causing any bandwidth etc problems, its just p'ing me off cos its filling up the logs, and i can see it refreshing like mad in the corner of my eye on my second monitor!!!!

Andy

[Edited by SiDHEaD - 7/3/2003 4:14:51 PM]
SiDHEaD is offline  
Reply Like
Old 03 July 2003, 02:46 PM
  #4  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
We're being flooded with something, the ips have been autoblocked - but they are still trying. It's causing a shedload of logs!!!
---
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 107 211.176.105.62 62.173.***.*** 3333 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 107 211.176.105.62 62.173.***.*** 3334 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 107 211.176.105.62 62.173.***.*** 3335 33830 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 107 211.176.105.62 62.173.***.*** 3336 33823 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 107 211.176.105.62 62.173.***.*** 3338 33821 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 110 61.58.192.28 62.173.***.*** 2389 33831 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 115 218.174.138.206 62.173.***.*** 3748 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 107 61.63.135.40 62.173.***.*** 2982 33823 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2510 33863 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2511 33862 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2512 33861 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2513 33850 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2514 33849 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2515 33848 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2516 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2517 33838 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2518 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 210.82.61.145 62.173.***.*** 3941 33850 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 210.82.61.145 62.173.***.*** 3942 33849 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 210.82.61.145 62.173.***.*** 3943 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 210.82.61.145 62.173.***.*** 3944 33838 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 210.82.61.145 62.173.***.*** 3945 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 210.82.61.145 62.173.***.*** 3946 33831 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 101 220.170.71.201 62.173.***.*** 4811 33863 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 61.140.36.86 62.173.***.*** 1316 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 105 61.140.36.86 62.173.***.*** 1316 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 106 61.140.36.86 62.173.***.*** 1317 33830 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3332 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 107 61.63.135.40 62.173.***.*** 3051 33821 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3333 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3334 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3335 33830 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3336 33823 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 109 211.175.154.39 62.173.***.*** 2887 33863 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 110 211.175.154.39 62.173.***.*** 2888 33861 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 110 211.175.154.39 62.173.***.*** 2889 33850 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 110 211.175.154.39 62.173.***.*** 2890 33848 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 109 211.175.154.39 62.173.***.*** 2891 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3338 33821 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 109 211.175.154.39 62.173.***.*** 2892 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 110 61.58.192.28 62.173.***.*** 2389 33831 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2510 33863 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2511 33862 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2512 33861 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2513 33850 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 115 218.174.138.206 62.173.***.*** 3748 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2514 33849 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2515 33848 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2516 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2517 33838 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2518 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 37 udp 20 9 218.64.72.21 62.173.***.*** 12706 33863 (default)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3332 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3333 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3334 33832 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3335 33830 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3336 33823 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 109 211.175.154.39 62.173.***.*** 2887 33863 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 110 211.175.154.39 62.173.***.*** 2888 33861 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 110 211.175.154.39 62.173.***.*** 2889 33850 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 110 211.175.154.39 62.173.***.*** 2890 33848 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 40 udp 20 107 211.176.105.62 62.173.***.*** 3338 33821 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 109 211.175.154.39 62.173.***.*** 2891 33839 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 109 211.175.154.39 62.173.***.*** 2892 33837 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2510 33863 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2511 33862 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.***.*** 2512 33861 (blocked site)
03/07/03 14:50 firewalld[96]: deny in eth0 44 udp 20 111 68.69.208.74 62.173.99.70 2513 33850 (blocked site)
---

Andy
SiDHEaD is offline  
Reply Like
Old 03 July 2003, 02:58 PM
  #5  
rogp
Scooby Regular
 
rogp's Avatar
 
Join Date: Mar 2003
Posts: 455
Likes: 0
Received 0 Likes on 0 Posts
Post
Are you running a Watchguard?
rogp is offline  
Reply Like
Old 03 July 2003, 03:00 PM
  #6  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
Yea, its an FB III/700.

Andy
SiDHEaD is offline  
Reply Like
Old 03 July 2003, 03:24 PM
  #7  
rogp
Scooby Regular
 
rogp's Avatar
 
Join Date: Mar 2003
Posts: 455
Likes: 0
Received 0 Likes on 0 Posts
Post
I thought I recognised the output! Mind you the log tag saying 'Watchguard' would have been a give away too!

Have you thought about doing a lookup on that IP address to see where it originates?

Do you have anything hackable behind the firewall? If so you may want to remove the external IP on your post.

Sorry I can't be of more help.

Roger
rogp is offline  
Reply Like

Trending Topics

Old 03 July 2003, 03:35 PM
  #8  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
I had masked our external IP There are a lot of IPs these connections are originating from, which leads me to think someone has an application open which is causing it.

Andy
SiDHEaD is offline  
Reply Like
Old 03 July 2003, 03:46 PM
  #9  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
I thought maybe a game or something.

No bandwidth transfer occuring other than mail and http :/

Andy
SiDHEaD is offline  
Reply Like
Old 03 July 2003, 04:12 PM
  #10  
SJ_Skyline
Scooby Senior
 
SJ_Skyline's Avatar
 
Join Date: Apr 2002
Location: Limbo
Posts: 21,922
Likes: 0
Received 1 Like on 1 Post
Thumbs down
Install shadow security scanner and port scan the ****** back and see how much THEY like it!
SJ_Skyline is offline  
Reply Like
Old 03 July 2003, 05:32 PM
  #11  
rogp
Scooby Regular
 
rogp's Avatar
 
Join Date: Mar 2003
Posts: 455
Likes: 0
Received 0 Likes on 0 Posts
Post
How many client PC's do you have?

Just thinking you could run some of the freeware software auditing tools (in the background)to see if anyone has anything naughty installed.

Roger
rogp is offline  
Reply Like
Old 03 July 2003, 06:29 PM
  #12  
Jeff Wiltshire
Scooby Regular
 
Jeff Wiltshire's Avatar
 
Join Date: Nov 2000
Location: 412 Wheel HP Audi RS4
Posts: 2,021
Likes: 0
Received 1 Like on 1 Post
Post
The IP addresses are from China, Taiwan, Korea & 1 set from the US....This would suggest that it isn't a Game. Might be a worm but I don't reconise the ports....very odd...

Is it still going on ?
Jeff Wiltshire is offline  
Reply Like
Old 03 July 2003, 06:31 PM
  #13  
Jeff Wiltshire
Scooby Regular
 
Jeff Wiltshire's Avatar
 
Join Date: Nov 2000
Location: 412 Wheel HP Audi RS4
Posts: 2,021
Likes: 0
Received 1 Like on 1 Post
Post
Have you got anything unusual going outbound ?
Jeff Wiltshire is offline  
Reply Like
Old 03 July 2003, 08:13 PM
  #14  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
Outbound is absolutely fine.

This only started happening after lunch, and i ran a halflife server at lunchtime on one of our servers, so i wondered if it was that..

The thing is I used to run the halflife server a few months ago, and none of this happened then.

Andy
SiDHEaD is offline  
Reply Like
Old 04 July 2003, 08:08 AM
  #15  
Jeff Wiltshire
Scooby Regular
 
Jeff Wiltshire's Avatar
 
Join Date: Nov 2000
Location: 412 Wheel HP Audi RS4
Posts: 2,021
Likes: 0
Received 1 Like on 1 Post
Post
Ummm....

Simple answer is I don't know....is it still happening ?
Jeff Wiltshire is offline  
Reply Like
Old 04 July 2003, 08:22 AM
  #16  
ptholt
Scooby Regular
 
ptholt's Avatar
 
Join Date: Dec 1999
Posts: 3,846
Likes: 0
Received 0 Likes on 0 Posts
Post
there is a subscription members only version of kazaa/e-donkey etc operating out of the far east that uses MANY different IP addresses and allows download over http and ftp, could be comeone using something like that and either other users are port scanning etc?
ptholt is offline  
Reply Like
Old 04 July 2003, 09:08 AM
  #17  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
I'm off work today so i can really tell if it's happening as if i turn the blocked site logging on, if it IS still doing it my remote desktop connection be get flooded and i wont be able to do anything.

Andy
SiDHEaD is offline  
Reply Like
Old 07 July 2003, 08:51 AM
  #18  
SiDHEaD
Scooby Regular
Thread Starter
 
SiDHEaD's Avatar
 
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes on 0 Posts
Post
Well, it's still doing it, and the halflife server hasn't been running since saturday...

Andy
SiDHEaD is offline  
Reply Like
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
How to: Android Nexus 7 HU install
JimBowen
ICE
5
02 July 2023 01:54 PM
2004 (54) Blue JDM Widetrack STi Fresh Import
KAS35RSTI
Subaru
27
04 November 2021 07:12 PM
BUGEYE PRODRIVE STI BREAKING(rota's/racebox/whiteline/cusco/prodrive styling/6speed+
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
OBD2 tracker and scanner
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM
Subaru full forged 2.1 blobeye 468 bhp
Ganz1983
Subaru
5
02 October 2015 09:22 AM
Back to Subforum
Computer & Technology Related
View Next Unread
Need a website developer




Advanced Search
Quick Reply: Any idea what uses these ports??


Reply Closed Thread Share
Forum Jump

All times are GMT +1. The time now is 04:44 AM.