Last Updated: 2007-07-07 21:55:29 UTC
by Tom Liston (Version: 2)
No... it's not called "Global Thermonuclear War"... although that's a fun game too...
This game is called "What Are the Kidz Doing On Port 5151?"
Lookie here: http://isc.sans.org/port.html?port=5151
And, to top that off, we've seen peaks of interest in port 5151 in the past:
February, April, and August 2004
April, July, and December 2005
February and September of 2006
To play, simply click here and tell us what you think. Better still, set up a netcat listener and tell us what you find (or what finds you...)
Update: (by Kevin "Not Tom" Liston)
Daniel's Darknet (everyone should have one) spotted only backscatter from what appeared to be a Denial of service ( or possibly a brute-force attack) targeting a Chinese IP on ports 80, 110, and 389 (HTTP, POP3, and LDAP respectively.) I checked my darknet and on 28-JUN-2007 I spooted similar activity targeting another Chinese IP.
Timothy, and other's have reported that netcat listeners have turned up no results. This implies that the scans are simply that: scans only for port TCP/5151.
Darren provides a potential "why" to our "who/what/where/when/why/how" construct with his link to an exploit targeting ESRI's ArcSDE which involves a buffer overflow on a service listening on TCP/5151. This happened to have been released 26-JUN-2007. The timing of events seems compelling. The published exploit doesn't check for headers, it simply opens the port and sprays.