Port 21816 attempts

From: Rob Zietlow (zietlowat_private)
Date: Thu Aug 30 2001 - 20:38:08 PDT

Next message: SVaterat_private: "Re: Code Red - A Possible Origin?"

Previous message: Bjørn Augestad: "Strange debug output (HTTP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was going through my logs today and saw in a 2 hour period 53 attempts at 
port 21816.  I tried doing a google search on 21816, I tried a security focus 
search but the search feature was down.  Has anyone seen attempts on this 
port and have any clue what it is.  They are all tcp connections.  coming 
mostly from the city I live in. Both on cable and DSL.   Here are some logs 
at the bottom of this email message.   

Has anyone seen anything similar to this on this port?  I was sleeping at the 
time to take a look at any packets.  If you need/want any more info I can 
give it to you. 

Thanks for the help

Rob Zietlow


Aug 30 18:31:17 wiggum ipmon[89]: 18:31:17.235172 2x xl0 @0:9 
XXXXXX-a.mdsn1.wi.home.com,63836 -> XXXXXXa.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90090261 0 8192 IN 
Aug 30 18:31:18 wiggum ipmon[89]: 18:31:18.205216 2x xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63836 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90090261 0 8192 IN 
Aug 30 18:32:11 wiggum ipmon[89]: 18:32:11.114157 xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63837 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90144173 0 8192 IN 
Aug 30 18:32:12 wiggum ipmon[89]: 18:32:11.589329 2x xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63837 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90144173 0 8192 IN 
Aug 30 18:32:13 wiggum ipmon[89]: 18:32:12.589891 xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63837 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90144173 0 8192 IN 
Aug 30 18:33:14 wiggum ipmon[89]: 18:33:13.530778 2x xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63838 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90206609 0 8192 IN 
Aug 30 18:33:15 wiggum ipmon[89]: 18:33:14.470760 2x xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63838 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90206609 0 8192 IN 
Aug 30 18:35:10 wiggum ipmon[89]: 18:35:09.983313 xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63839 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90323097 0 8192 IN 
Aug 30 18:35:11 wiggum ipmon[89]: 18:35:10.441009 2x xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63839 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90323097 0 8192 IN 
Aug 30 18:35:11 wiggum ipmon[89]: 18:35:11.438590 xl0 @0:9 b 
xxxxxx-a.mdsn1.wi.home.com,63839 -> xxxxxx-a.mdsn1.wi.home.com,21816 PR 
tcp len 20 48 -S 90323097 0 8192 IN 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: SVaterat_private: "Re: Code Red - A Possible Origin?"
Previous message: Bjørn Augestad: "Strange debug output (HTTP)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 01 2001 - 10:49:05 PDT