Scans on port 17107

First off, I'm on dialup. Often I see from my firewall log reports a
large rash of hits on some given port.

Yesterday, over a course of about 3 minutes, my firewall logged 1366 hits
on port 17107. This occurred immediately after connecting, and from 1255
different sources. Some were TCP and others UDP. Of course there may
have been many more - don't know if there was a "limit" hiding it or not..

I'm thinking that these are residual connections from the previous user of
whatever address I got. Would this be correct?

I tried to do a Google search on port 17107 but couldn't find anything,
and I don't have anything in /etc/services or another listing of ports
that I have.

On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<dm8541$mcl$1@bn2.blue.net>, Myself wrote:

>Yesterday, over a course of about 3 minutes, my firewall logged 1366 hits
>on port 17107. This occurred immediately after connecting, and from 1255
>different sources. Some were TCP and others UDP.

Hard to say - seeing both TCP and UDP to the same port number (other than
occasionally on 53 for DNS) is unusual. 17107 is a 'user-land' port,
meaning it's not a regular server. The "standard" answer for your
observation is that the person who had that IP number before you was
running a server of some kind - I'd suspect a game server of some kind,
but that's purely a guess.

I really don't think I'd worry about it. You have nothing running on
that port, so there is nothing to exploit.

>I tried to do a Google search on port 17107 but couldn't find anything,
>and I don't have anything in /etc/services or another listing of ports
>that I have.

As above. Try http://www.iana.org/assignments/port-numbers to get the
official list, but remember there is no force of law behind that. If
someone wants to run a mail server on 17107, they could. Most people
wouldn't know it exists there, because you look for "well known services"
on "well known ports" in this case 25. Also, no windoze virus writer
has ever registered his worm/trojan/what-ever with IANA.

Old guy

On Fri, 25 Nov 2005 17:44:49 -0600, ibuprofin@painkiller.example.tld (Moe Trin) wrote:

>On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
><dm8541$mcl$1@bn2.blue.net>, Myself wrote:
>
>>Yesterday, over a course of about 3 minutes, my firewall logged 1366 hits
>>on port 17107. This occurred immediately after connecting, and from 1255
>>different sources. Some were TCP and others UDP.
>
>Hard to say - seeing both TCP and UDP to the same port number (other than
>occasionally on 53 for DNS) is unusual. 17107 is a 'user-land' port,
>meaning it's not a regular server. The "standard" answer for your
>observation is that the person who had that IP number before you was
>running a server of some kind - I'd suspect a game server of some kind,
>but that's purely a guess.
>
>I really don't think I'd worry about it. You have nothing running on
>that port, so there is nothing to exploit.

Adding to the above, the idea of sample logging what you're dropping,
this is what I have:
....
MLIMIT="--match limit --limit"
....
# data collection, sample what we're dropping?
iptables -A INPUT -p all $MLIMIT 6/min --limit-burst 6 \
-j LOG --log-level info --log-prefix "InpDrop: "
....
So that same noise burst here would result in a couple dozen events
logged, not the lot. Only noise after all ;-)

Grant.

On Fri, 25 Nov 2005 17:44:49 -0600, Moe Trin wrote:

> On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in
> article <dm8541$mcl$1@bn2.blue.net>, Myself wrote:
>
>>Yesterday, over a course of about 3 minutes, my firewall logged 1366
>>hits on port 17107. This occurred immediately after connecting, and from
>>1255 different sources. Some were TCP and others UDP.
>
> Hard to say - seeing both TCP and UDP to the same port number (other than
> occasionally on 53 for DNS) is unusual.

That seemed a bit odd to me.

> 17107 is a 'user-land' port,
> meaning it's not a regular server. The "standard" answer for your
> observation is that the person who had that IP number before you was
> running a server of some kind - I'd suspect a game server of some kind,
> but that's purely a guess.

This is what I suspect. As I said in my original post, I often get a
series of hits on some single port (and not any certain one), and I have
always come to the conclusion that it is from the previous port. However,
the number of these did get my attention. I use fwlogwatch and it send me
an email report. When I opened mutt and saw the report with over 1000
lines, I did notice :)

> I really don't think I'd worry about it. You have nothing
running on
> that port, so there is nothing to exploit.

Right. I have no open incoming ports to my knowledge. I've had them
checked on several of the security sites.

>>I tried to do a Google search on port 17107 but couldn't find anything,
>>and I don't have anything in /etc/services or another listing of ports
>>that I have.
>
> As above. Try http://www.iana.org/assignments/port-numbers to get the
> official list,

I have a second list besides /etc/services, and I believe it is from
there.. It dates back to 2002 (could update), but I check with it in
addition to /etc/services.

> but remember there is no force of law behind that. If someone wants to
> run a mail server on 17107, they could. Most people wouldn't know it
> exists there, because you look for "well known services" on "well known
> ports" in this case 25. Also, no windoze virus writer has ever
> registered his worm/trojan/what-ever with IANA.

True. But often it can give you a clue to what it might be.

Did two of my original posts show up on the list? For some reason, I got
two, showing a difference of 2 seconds, I believe...

On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<dm8dv6$qj7$1@bn2.blue.net>, Myself wrote:

>This is what I suspect. As I said in my original post, I often get a
>series of hits on some single port (and not any certain one), and I have
>always come to the conclusion that it is from the previous port.

Your ISP (duo-county.com) has a /22 block (1022 IPs) at the point where
you are posting (they have more than that - I see at least 2560 addresses
mentioned), and it sounds as if one of your neighbors in the county is
running a game service or similar. At least the clients are well behaved
and seem to go away after being told "There is no server here". 1366 hits
from 1255 addresses is less than 1.1 packets per address. It also says
that must be a popular game/service ;-)

>However, the number of these did get my attention. I use fwlogwatch and
>it send me an email report. When I opened mutt and saw the report with
>over 1000 lines, I did notice :)

You may want to reconsider your logging strategy, or as Grant suggests in
the other reply I see, rate limit the logging. Your firewall blocked the
connection attempt, and there really isn't that much more that you can do
- again, 1.1 packets per address - are you going to call the Internet
Police? That would be a lot of paperwork to fill out ;-)

>Right. I have no open incoming ports to my knowledge. I've had them
>checked on several of the security sites.

man netstat no need to use a security site, just run 'netstat -tupan'
and find out what is open, but also, which process is the guilty party.

>I have a second list besides /etc/services, and I believe it is from
>there.. It dates back to 2002 (could update), but I check with it in
>addition to /etc/services.

Services aren't added that often. I replace my copy every six months,
and the differences are often just contact name changes.

>True. But often it can give you a clue to what it might be.

I'm on 24/7 cable in addition to having dialin. You get used to this
constant noise. As long as you block it, that's all that matters. In
addition, the actual service that a connection may be looking for is
rarely the one listed in official lists - thank you microsoft for
keeping skript kiddiez busy re-writing malware around the world.

>Did two of my original posts show up on the list? For some reason, I got
>two, showing a difference of 2 seconds, I believe...

The news server at Bluegrass Network is putting message id and time
stamps on it - looks like they think they got two copies about a second
apart. I don't use Pan, but the news tools I'm used to have a "Are you
sure you want to post this crap" switch each time I post to reduce the
possibility of multi-posts.

Old guy