1

I have been getting various attempts to connect to ports on my shorewall firewall. The ports that I keep seeing connection attempts at are TCP 44444, TCP 44446, UDP 55555 and every now and then some slight variation. I ran "netstat -a" and did not see anything listening on those ports. Is this something that I should be worried about or is it just some rogue computers out there? I have noticed a lot of the IP addresses are from Spain and Mexico.

May 25 18:39:35 Takkun kernel: [62516.626514] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:d0:b7:65:d4:13:34:ef:xx:xx:xx:81:08:00 SRC=200.124.9.113 DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=51796 DF PROTO=TCP SPT=2071 DPT=44446 WINDOW=16384 RES=0x00 SYN URGP=0
May 25 18:39:52 Takkun kernel: [62535.433285] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:d0:b7:65:d4:13:34:ef:xx:xx:xx:81:08:00 SRC=72.50.95.174 DST=72.xxx.xxx.xxx LEN=90 TOS=0x00 PREC=0x00 TTL=105 ID=31130 PROTO=UDP SPT=59505 DPT=55555 LEN=70
May 25 18:40:05 Takkun kernel: [62548.963413] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:d0:b7:65:d4:13:34:ef:xx:xx:xx:81:08:00 SRC=77.12.37.1 DST=72.xxx.xxx.xxx LEN=90 TOS=0x00 PREC=0x00 TTL=108 ID=9585 PROTO=UDP SPT=20401 DPT=55555 LEN=70

That is the jist of what I'm seeing.

Improve this question

1 Answer 1

Reset to default
1

Looks like a computer is trawling the net for computers injected with trojans.

For example, see this perl script.

If you are not infected, you have nothing to worry about.

Improve this answer
2
  • 1
    Ok, It just seems like a high amount of attempts coming from a certain provider. I guess the best option for me would be silently drop those packets or blacklist that provider.
    – Shikoru
    Commented May 26, 2010 at 8:03
  • Sounds like a reasonable plan
    – Dan McGrath
    Commented May 26, 2010 at 8:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .