Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > Constant activity in firewall router at port 15881

Constant activity in firewall router at port 15881
Thread Tools
mspalacios
Fresh-Faced Recruit
Join Date: Jan 2003
Status: Offline
Reply With Quote
Sep 3, 2003, 04:46 PM
 
I've recently noticed more activity in my cable modem connection and turned on logging on my Linksys BEFW11S4. It seems that I'm getting constantly contacted by many different IP addresses from different ports but always into my IP address' port 15881. I can't find any information regarding this port -- it's not a typical port for attacks it would seem. Can you pls help me decipher this? Below is a typical line from my Linksys log:

[02/Sep/03 20:14:49] @in 24.43.219.202 11279 my.cable.ip.addr 15881

Any help would be appreciated. Thanks.

Miguel
     
kampl
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status: Offline
Reply With Quote
Sep 3, 2003, 07:05 PM
 
It's not an IANA assigned port so no legitimate service likely uses it as a listener port. Run netstat to see if you are even listening on the port in question (likely you're not). On a sidenote, there's at least one new or modified backdoor program found and reported in the wild everyday that may or may not gain any real publicity. They usally don't unless they are dropped by some nasty worm. It's possible and wouldn't surprise me that some people are looking for an open root shell or something to that affect but that is a conjecture on my part. If you're not listening on that port and remote devices cannot reach that port I would not worry about it all that much.
     
mspalacios  (op)
Fresh-Faced Recruit
Join Date: Jan 2003
Status: Offline
Reply With Quote
Sep 3, 2003, 09:04 PM
 
Thanks for the reply... Yes, I saw that it was not in the well known port list. For sure I'm not letting this port forward through to any one of my hosts inside my private LAN (NAT), so my only concern is whether this is making my router work overtime or is consuming some of my precious bandwidth.

Maybe by changing IP addresses I can get rid of it? I've requested another IP from my provider (normally DHCP), but they claim that I have to keep the cable modem off for at least 72 hours for the DHCP server to give me another address.

Thanks for the input.

Regards,

Miguel
     
kampl
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status: Offline
Reply With Quote
Sep 3, 2003, 09:35 PM
 
Depends on how widespread the scanning is (depends on sources). The ISP's claim that it will take 72 hours of downtime is not suprising in so far as how DHCP operates to get a new address. Being that it is probably not an automated action like an increase in activity via a self propagating vector of malicious traffic I would ride it out. Scans go on everyday for all sorts of things on broadband and dialup networks. You will see all sorts of anamolous traffic all day. Or I do anyway.

So you can either ride it out until so and so passes by your public IP addr or shutdown for a few days and change addrs, but you may see it again soon. They both suck, but that is the reality of it.
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -5. The time now is 02:23 PM.
All contents of these forums © 1995-2011 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.7 © 2000-2011, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2