From owner-freebsd-security  Sun Nov 25 12:53:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mrtwig.citlink.net (mrtwig.citlink.net [207.173.229.137])
	by hub.freebsd.org (Postfix) with ESMTP id F1C5B37B416
	for <freebsd-security@freebsd.org>; Sun, 25 Nov 2001 12:53:34 -0800 (PST)
Received: from blacklamb.mykitchentable.net ([207.173.255.209])
          by mrtwig.citlink.net
          (InterMail vK.4.03.04.00 201-232-130 license a3e2d54ac3b1df4217e834deb9d77e31)
          with ESMTP
          id <20011125205810.MNKO136188.mrtwig@blacklamb.mykitchentable.net>
          for <freebsd-security@freebsd.org>;
          Sun, 25 Nov 2001 14:58:10 -0600
Received: from tagalong (unknown [192.168.1.11])
	by blacklamb.mykitchentable.net (Postfix) with SMTP id 18D69EE547
	for <freebsd-security@freebsd.org>; Sun, 25 Nov 2001 07:09:50 -0800 (PST)
Message-ID: <003001c175c3$0c81a4e0$0b01a8c0@lc.ca.gov>
From: "Drew Tomlinson" <drew@mykitchentable.net>
To: <freebsd-security@freebsd.org>
Subject: Port 1214 - Is It Used For A Specific Purpose?
Date: Sun, 25 Nov 2001 07:08:33 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I was looking over my firewall logs this morning and noticed that there
are many attempts to connect to TCP port 1214 from different addresses.
I've searched the web but found no specific mention of any standard
purpose for this port.  I suppose this is some sort of scan but was just
wondering if anyone knows exactly what this is?

I included a snip of my log from two complete attempts.  It's probably
more than is needed but I thought maybe someone might see a pattern that
I'm missing.

Thanks,

Drew

P.S.  192.168.10.2 is my outside interface to my firewall.  I know it is
a private address but it's OK as my ADSL modem/router gets a public
address from my ISP via DHCP and performs NAT for the rest of my
machines.

> ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1042 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1043 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 141.157.125.23:1057 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1

> ipfw: 65500 Deny TCP 172.191.120.23:1854 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:1853 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2282 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2283 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2355 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2362 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2447 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1
> ipfw: 65500 Deny TCP 172.191.120.23:2453 192.168.10.2:1214 in via ed1



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message