Request for Packets: Port 15454

Published: 2018-07-18
Last Updated: 2018-07-18 18:52:01 UTC
by Kevin Liston (Version: 2)
3 comment(s)

Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise.  It popped up on the experimental trends report (https://isc.sans.edu/trends.html) yesterday.  Fellow handler Richard Porter thought it sounded like a "debugger port for an App" and after a quick jaunt to The Googles he returned with an old report that this port opens up when the Clound9 IDE is doing its thing. (Source: https://stackoverflow.com/questions/39007572/cloud9-debugger-listening-on-port-15454)

We're curious if that initial guess is correct or not.  Are you seeing this as well?  Any pattern to the source or interesting tool marks.  Or better yet: Got Packets?

If so, hits us up on the contact form: https://isc.sans.edu/contact

 

UPDATE:

Looking at my own sensors, I see one source 185.208.208.198.  It was looking for ports in the 15000 range.  So looking at the DSHield logs for port 15453 port 15455  port 15456 around 15454 you see a similar uptick.  IN additon to the 15000 ports it was also hitting 22.

Keywords: 15454
3 comment(s)

Comments

Hey Kevin! Yeah, I see the same IP. And searching my logs for that IP, I see it's probing lots of ports, but only one packet per port, and probably longer than the last 30 days. In my case they were all blocked because that IP is in the CINS-Bad-Guys list which my firewall uses (amongst others) to block bad actors. So I suspect that this one IP isn't doing anything specific to the uptick, I suspect they're just scanning all ports on a given IP...

But that's just a hunch...
I have packets & will glady reach out.
Is there any context around the IP 185.208.208.198 other than some port probing?

Diary Archives