Glossary of Weird Log Things
Here is a list, in no particular order, of odd-looking things you might find in your network logs, and what they are. Many firewall/gateway applications, like IPCop, report the service assigned to the port, like this:
Service: cap (UDP/1026) (INPUT,eth1,none) - 1 packet
But the service name may not be accurate because packets can be spoofed, and UDP packets are especially easy to forge. And just because IANA hands out official port assignments doesn’t mean that everyone will obey. Certainly not the sort of folks who wish to misuse your systems. The only way to find out is to capture and read the packets. If you’re not running the service in question go ahead and block it.
• Exosee (TCP/UDP 1027)
Yet another peer-to-peer file sharing program. Chances are it’s not an Exosee user trying to connect to you, but some Windows Messenger Popup spam, which attacks UDP ports 1026, 1027, and 1028.
• cap, Calendar Access Protocol (UDP 1026)
Most likely this is Windows Messenger Popup spam, just like Exosee.
• Monkeycom (TCP/UDP 9898, 5554, 3127)
This is related to the Sasser, MyDoom, and Dabber worms. MonkeyCom is a file transfer and videophone program, as near as I can tell from the Babelfish translation of the MonkeyCom product page.
• Dameware (TCP 6129)
Dameware is a nice remote desktop for Windows. It had a serious vulnerability that long ago was fixed, but lots of folks still find Dameware probes in their firewall logs.
• netbios-ns (TCP/UDP 137)
Lucky are you if your logs are not clogged with this one, because Microsoft’s Netbios SMB service is a favorite target of l33t crackers everywhere: Nimda, Code Red, SirCam, and Opaserv are but a few of the malware released to exploit this. Also watch for probes on ports 138, 139, and 445.
• radmin (TCP 4849)
Remote desktop for Windows. This is a powerful and useful app, but in its default configuration an attacker only needs to guess the password, so it is a popular target.
If you’re not running any of these servers it’s either a wrong number or someone looking for entry into your system:
• FTP (TCP 21)
File transfer protocol, like wu-FTPd, vsFTPd, MS IIS, Pro-FTP.
• HTTP (TCP 80)
Web server, like Apache, MS IIS, Roxen, Stronghold.
• SSH (TCP 22)
Secure shell, like OpenSSH.
• SMTP (TCP 25)
Mail server, like Postfix, Exim, Sendmail.
Looking Up Other Ports
This is just a sampling of the more popular weirdo log entries. Be sure to visit the indispensible SANS (SysAdmin, Audit, Network, Security) Institute’s Internet Storm Center for information on worldwide trends and activity. Even better, you may look up specific port numbers and IPs in their extensive online database.
- My fave, most common-sense security guru is Bruce Schneier
- Fyodor shares his vast knowledge about penetrating networks. Indispensible for the network admin.
Carla Schroder is a regular contributor to ServerWatch.com and EnterpriseNetworkingPlanet.com.