Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise. It popped up on the experimental trends report (https://isc.sans.edu/trends.html) yesterday. Fellow handler Richard Porter thought it sounded like a "debugger port for an App" and after a quick jaunt to The Googles he returned with an old report that this port opens up when the Clound9 IDE is doing its thing. (Source: https://stackoverflow.com/questions/39007572/cloud9-debugger-listening-on-port-15454) We're curious if that initial guess is correct or not. Are you seeing this as well? Any pattern to the source or interesting tool marks. Or better yet: Got Packets? If so, hits us up on the contact form: https://isc.sans.edu/contact
UPDATE: Looking at my own sensors, I see one source 185.208.208.198. It was looking for ports in the 15000 range. So looking at the DSHield logs for port 15453 port 15455 port 15456 around 15454 you see a similar uptick. IN additon to the 15000 ports it was also hitting 22. |
Kevin Liston 289 Posts ISC Handler |
Reply Subscribe |
Jul 18th 2018 7 months ago |
Hey Kevin! Yeah, I see the same IP. And searching my logs for that IP, I see it's probing lots of ports, but only one packet per port, and probably longer than the last 30 days. In my case they were all blocked because that IP is in the CINS-Bad-Guys list which my firewall uses (amongst others) to block bad actors. So I suspect that this one IP isn't doing anything specific to the uptick, I suspect they're just scanning all ports on a given IP...
But that's just a hunch... |
Brent 112 Posts |
Reply Quote |
Jul 19th 2018 7 months ago |
I have packets & will glady reach out.
|
BerliN12459 2 Posts |
Reply Quote |
Aug 1st 2018 6 months ago |
Is there any context around the IP 185.208.208.198 other than some port probing?
|
Anonymous |
Reply Quote |
Aug 1st 2018 6 months ago |
Sign Up for Free or Log In to start participating in the conversation!