Port 1574

For connection-less communication. *SCNR*

If you're asking what it's typically supposed to be for, then, Well, why don't you take a look into your /etc/services?

| # grep "1574/udp" < /etc/services | mvel-lm 1574/udp # mvel-lm

Seems like a non-typical use.

Normally or malware?

Both,

Thanks for the answers. My firewall always logs and blocks hundreds of accesses made through that port. I think that port is involved with my emule p2p software but I'd like to know why there are so many attempts to access my computer through udp 1574 port while I configured correcty communication in my firewall-router to make my emule run ok.

Thanks again.

Bit Twister ha scritto:

My firewall just drops the attempts and does not bother to log the normal internet noise ports, (80,143, 8080, 21-25,, etc)

That allows me to see the ones trying to hide in all the noise. I have one site which makes 2 new port checks once a week on Sunday afternoon.

If I get lots of scans I'll block the ip range. I only see one or two hits a day with my current blacklist.

85.255.112.0-85.255.127.0 # known malware address range of INHoster in Ukraine 76.166.0.0-76.190.255.255 # Road Runner HoldCo LLC 218.249.29.0-218.249.29.255 # BEI-JING-JIAO-TONG-DA-XUE CN 211.100.32.0-211.100.95.255 # NET263 group in Beijing P.R.China 220.166.64.0-220.166.65.255 # MAINT-CHINANET-SC China 220.178.0.0-220.180.255.255 # CHINANET anhui province networ 221.6.0.0-221.6.255.255 # China Network Communications Group Corp 221.208.0.0/14 # CNCGROUP Heilongjiang Province Network 0.0.0.0/0 udp 1024:1035 0.0.0.0/0 tcp 1023 0.0.0.0/0 tcp 1025 # network blackjack dasher.a 0.0.0.0/0 tcp 80 # AckCmd, Back End, CGI Backdoor, Executor, Hooker, RingZero 0.0.0.0/0 tcp 8080 # Brown Orifice , RemoConChubo, RingZero 0.0.0.0/0 tcp 21:25 # ftp, ssh, Telnet, any private mail system, smtp 0.0.0.0/0 tcp 4899 # Remote Administrator port 0.0.0.0/0 tcp 5900 # vnc Virtual Network Computer 0.0.0.0/0 tcp 10000 # Network Data Management Protocol (webmint) 0.0.0.0/0 udp 1434 # Microsoft-SQL-Monitor 0.0.0.0/0 tcp 1433 # Microsoft-SQL-Server 0.0.0.0/0 tcp 3306 # MySQL 0.0.0.0/0 tcp 3372 # TIP 2, satvid-datalnk - Satellite Video Data Link 0.0.0.0/0 tcp 5554 # Sasser trojan/worm ftp server 0.0.0.0/0 udp 6346 # Gnutella-svc 0.0.0.0/0 tcp 6348 # Gnutella works on this port too 0.0.0.0/0 udp 6348 # Gnutella works on this port too 0.0.0.0/0 tcp 9898 # dabber, MonkeyCom 0.0.0.0/0 tcp 2100 # Amiga Network Filesystem 0.0.0.0/0 udp 33435:33440

Script kiddies/crackers are always hitting ports looking for the lastest know exploit and unknown exploits. Want to see last 24 hour comparied to last 30 day trend.

First I'd rather know if those dropped ip's are attacks! I know I could tell my firewall not to bore me with those logs but the question is: do you know what kind of data passes through UDP 1574 port? Do you use p2p software? Then ip ranges are always different and that makes me think it may not be a sort of attack.

I posted this question in many forums but no clear answer has come out yet.

Thanks.

Bit Twister ha scritto:

Hooker, RingZero

When they attempt unsolicitated port connections to my system they are attempting unauthorize entry. What would you call it.

No, to the above.

When you are part of a Peer 2 Peer network you will be getting attempts from all over that network. You would not be able to tell if they are valid p2p connects for sharing or crack attempts unless you analyze the connect data attempts.

Hooker, RingZero

Interesting blacklist entries. Have you developed it from your own observations, or imported it from some other source? Just interested!

Jim Ford

The very strange thing is the fact that attacks, if you prefer calling them so, always pass through UDP 1574 port: the port is always the same, the protocol always the same. I've been logging them for months and nothing has changed. It's a bit strange to me, don't you think so?

Anyway thanks for the answers.

Bye.

Bit Twister ha scritto:

Just from log entries that make it through the blacklist.

When a new port shows up, I check

see if there is a malware description for my comment section.

Every copula months, I'll check the blacklist hit counter to see I want to remove any entry.

Firewall frontend is Shorewall on Mandriva linux.

Thanks - I'm using Shorewall on a Leaf router/firewall.

Jim

You selection of blacklisted ips can be different than mine.

I run a xconsole -geom 1032x50+400+00 -file /var/log/messages & on my firewall and $DISPLAY points to my lan box.

To use the blacklist, you have to have blacklist as one of your net options in /etc/shorewall/interfaces

I use /etc/shorewall/params for variables.

# cd /etc/shorewall

# tail -3 interfaces | head -2 net $NET_NIC $NET_BCAST $NET_OPTIONS loc $LOC_NIC $LOC_BCAST

# grep NET_ params NET_BCAST=192.168.2.255 NET_NIC=eth1 NET_OPTIONS=dhcp,routefilter,blacklist,tcpflags,logmartians

I've got a blacklist, but I've really not bothered to pore over the log files and enter the 'bad' ip addresses and ports that I see regularly dropped. I just have a quick scan through them to see if anything 'leaps out', and then dump the log. I've occasionally been tempted to set up a Tarpit/Teergrube in an attempt to take a more pro-active approach, but as I understand it can create problems with contracking, not looked very deeply. Another problem is that it won't necessarily hit the bad guys, but as often as not their unwitting zombies.

Comments, anyone? (Come on Seb - you know you can't resist! ;^) )

Jim Ford

I do not pore over my logs. I do have a terminal open doing a tail -f /var/log/messages and pinned the xconsole -geom 1032x50+400+00 -file /var/log/messages & to the top of my desktop. That is about a 4 line view of the log and the only thing seen is the hourly msec log runs and any ntp time sync messages.

When I see a port or several ip drops, I'll put it in the black list. For port range I'll use whois ip_here

That is the advantage of the blacklist. Whatever is there is something to look at and all the noise is damped out by the blacklist.

Matter of fact just saw 3 different ips hitting the same port. Tells me they have a new exploit, or gone back to a very old one. New blacklist entry is

0.0.0.0/0 tcp 3389 # MS WBT Server

Yes, and odds would be the unwitting zombies.

Reading

provide you with a caution. You do not want to be in court trying to defend what your computer did to someone. :(

I have see a few laws where just a ping is an unlawful "access" attempt and can land you into the barbed wire hotel.

Law makers were tired of seeing the bad guy walk away because the prosecutors could not prove unlawful /access/ attempt. Look at what the Texas lawmakers passed while thinking of your tarpit. Just read the first 2 definitions of this Texas Statute CHAPTER 33. COMPUTER CRIMES

in pdf format

I'm not sure what the purpose of monitoring the Shorewall hits is. So what do you do with the 'residue' of hits - the ones you don't blacklist? Of what interest are they? Why not do as I do and just shrug your shoulders and dump the Shorewall hit log from time to time without any more than a cursory inspection?

I'm not being critical - it's just that I feel that perhaps I'm missing something here!

Jim Ford

Well, blacklist hits show me which lines to remove when there are very low/no hits.

When I see a drop entry on the screen, I'll look to see who it is.

Since I am running linux with 8 desktops, it is no problem to click the log desktop, quick cut/paste ip into whois and decide what to do with a log entry.

I have been supprised at some and have sent them an abuse report. It was nice to see them clean up their problem.

I would not care if you were. :)

Well, if you are going to "shrug your shoulders and dump the log" you aught to set Shorewall to just drop/nolog. :)

As you can see from the links I gave you, trying to retaliate could get you into deep dodo with the law at worst, at best lose your internet connection.

Not much I can do with China and known Russian malware ip ranges, so those I'll blacklist. If I can reconize a know business or someone I think will look into it, I'll tell them.

Seeing a new port which is not a part of port scan, tells me something new has been found.

If you want to help with the problem you could get with

and see what it would take for you to submit your logs. It might be as simple as a batch/cron job to email them to dshield before logs are rotated out of sight. Dshield parses them for port/ip and merge that with their data to detect new events, identify computers spewing crap and try to get their ISP to tell the ownere to clean it up.

I have no idea where the good work is going on, but in the last two years I have seen a marked drop in number of hits on my firewall. Maybe it is just Comcast using filters on their internet connect points. I was switched to RoadRunner about 5 months ago and I only added a few IP addresses lines to my blacklist.

There are 31 ranges commented out of my blacklist where the count was zero. Another month and I'll remove those.