I've been watching my logs (Ubuntu 9.10 server) and dunno about any of you but I am getting a ton of traffic from sources like Russia, Romania, etc.. on port 11370 (my iptables are logndrop'ing it. But was just curious).
Some googling revealed this info:
http://www.keysigning.org/sks/ -which seems to use port 11370 & 11371
Could that be the service they are scanning for (i don't run it)?
ICS shows this: https://isc.incidents.org/port.html?port=11370
Just curious what you guys think and if anyone has seen this before? If need be I can post my log on here, but its just a dropped log of TCP port 11370 from various IPs.
Thought it was strange as thats the ONLY Port I seem to repeatedly be hit on (from logs).
I'm running on a Linode (VPS) if that matters to annyone.
Open (
socat -v tcp-l:11370,reuseaddr -) this port and watch what goes to itAlternatively, redirect the traffic somewhere to analyse using
iptables./* Note: comments and votes were for other, shorter formulation */
Maybe this is some new zeroday exploit on a service that runs on that, or a some kind of backdoor rat. checkout http://www.dshield.org/trends.html. Consider offering your firewall logs to them.
If you on your server an want to check if a process is listening on that port just do
netstat -l -p -d | grep 11370
also if you see unknown port numbers doing
cat /etc/services | grep 11370
come up blank on my machine.
I think (if it's still available) tcpview.exe on windows to do the same job.