Even port scanners are boring...
After setting up a virtual private server with the people at rimuhosting.com, I was curious to see what a box like that has to deal with as far as port scanners go.
To find out, I ran tcpdump for 24 hours, without any filtering:
24 hours later, I terminated the tcpdump process and filtered out some of the known traffic, such as my machine at home, and some others, and I only looked for 'SYN' packets.
That resulted in a file of only 2159 lines. Those lines were formatted as so:
This gave me the originating IP, with its TCP port number, as well as the destination IP and port number.
First step: extract all the destination ports:
With all destination ports safely in a file, I can now summarize:
Which leads to
Nothing surprising here; port 80 is where my web server lives and port 25 is my (outgoing!) mail. Port 5900 is VNC, which is know of its many issues. 1433 is an old friend (SQL Server) and is still scanned a lot. From this point on. it quickly becomes less interesting: 135 and 139 are Microsoft Windows Ports, 1080 is Socks (looking for an open proxy?) 445 is more Microsoft; 443 is HTTP over SSL (looking for proxies?), 8080 is more proxy searches, 3306 is MySQL, 21 is FTP (as if :), The rest of the ports doesn't really count.
Let's soon in on 2967 and on 22. Starting with the latter one, it is well known that SSH bruteforce scanning is very popular at the moment. My 36 scans originated from 9 hosts
I have set up IP port filtering to only allow incoming SSH connections from a few trusted IP addresses, so these attempts all died before they even began.
The second batch is for port 2967, which is the only one that I did not know.
THis one is more interesting; while only two of the SSH scans originated from the USA, 7 out of 10 scans for port 2967 come from the USA. Port 2967 is used by Symantec System Center, and DShield has an interesting graph about it too. The remark that especially colleges are targeted is not something that I see from my brief analysis; not one of the originating IP addresses belonged to a school.
All in all, it seems like there isn't really all that much going on in portscanning-land.
Maybe I'll try this again some day on my home box.
To find out, I ran tcpdump for 24 hours, without any filtering:
sudo tcpdump -nUi eth0 -w tcpdump.log
24 hours later, I terminated the tcpdump process and filtered out some of the known traffic, such as my machine at home, and some others, and I only looked for 'SYN' packets.
/usr/sbin/tcpdump -nr tcpdump.log -l '(not host xx.xx.210.33) and \
(not host xx.xs4all.nl) and (tcp[tcpflags] & tcp-syn != 0) and \
(tcp[tcpflags] & tcp-ack = 0)' |egrep -o '([0-9.]+ > [0-9.]+)' > tcpdump.txt
That resulted in a file of only 2159 lines. Those lines were formatted as so:
xx.yy.196.35065 > aa.bb.224.141.80
This gave me the originating IP, with its TCP port number, as well as the destination IP and port number.
First step: extract all the destination ports:
awk '{print $3}' tcpdump.tmp |cut -d. -f5 |sort -n |uniq > ports.txtWith all destination ports safely in a file, I can now summarize:
for i in $(cat ports.txt); \
do \
n=$(egrep "\.$i\$" tcpdump.tmp |wc -l); \
echo "$i=$n" ; \
done |sort -t = -k 2 -rn
Which leads to
80=1731
25=64
2967=62
5900=51
1433=50
22=36
135=29
139=24
1080=22
445=19
443=13
8080=7
3306=4
21=4
10000=4
8395=3
4899=3
6900=2
6348=1
43=1
2968=1
2222=1
113=1
Nothing surprising here; port 80 is where my web server lives and port 25 is my (outgoing!) mail. Port 5900 is VNC, which is know of its many issues. 1433 is an old friend (SQL Server) and is still scanned a lot. From this point on. it quickly becomes less interesting: 135 and 139 are Microsoft Windows Ports, 1080 is Socks (looking for an open proxy?) 445 is more Microsoft; 443 is HTTP over SSL (looking for proxies?), 8080 is more proxy searches, 3306 is MySQL, 21 is FTP (as if :), The rest of the ports doesn't really count.
Let's soon in on 2967 and on 22. Starting with the latter one, it is well known that SSH bruteforce scanning is very popular at the moment. My 36 scans originated from 9 hosts
awk '/\.22$/{print $1}' tcpdump.tmp |sed -r 's/\.[0-9]+$//g' |sort |uniq
x.214.29.173 (Japan)
x.215.190.134 (Taiwan)
x.50.197.234 (USA)
x.108.231.56 (China)
x.130.189.223 (China)
x.143.10.5 (China)
x.78.145.92 (USA)
x.149.219.232 (UK)
x.42.7.23 (Romania)
I have set up IP port filtering to only allow incoming SSH connections from a few trusted IP addresses, so these attempts all died before they even began.
The second batch is for port 2967, which is the only one that I did not know.
awk '/\.2967$/{print $1}' tcpdump.tmp |sed -r 's/\.[0-9]+$//g' |sort |uniq
x.22.79.222 (China)
x.139.58.112 (China)
x.241.178.220 (China)
x.142.132.9 (USA)
x.19.186.202 (USA)
x.19.188.118 (USA)
x.231.2.33 (USA)
x.233.213.29 (USA)
x.243.227.28 (USA)
x.30.98.53 (USA)
THis one is more interesting; while only two of the SSH scans originated from the USA, 7 out of 10 scans for port 2967 come from the USA. Port 2967 is used by Symantec System Center, and DShield has an interesting graph about it too. The remark that especially colleges are targeted is not something that I see from my brief analysis; not one of the originating IP addresses belonged to a school.
All in all, it seems like there isn't really all that much going on in portscanning-land.
Maybe I'll try this again some day on my home box.