Every now and then my pfsense firewall logs going to a splunk server using a3sec’s TA shows a spike of blocked traffic. One tonight shows 115 count of port 33435, 33437, 33434, 33438, 33439, 33436- all from IPs rotating so that only 6 attempts are done from each IP. I’m surprised on the lack of info I’m finding on google, but if this is just trace-route am I just on the receiving end of Shodan or some other outfit doing its job?
Probs just bots driving by testing if you left your doors unlocked.
Could be anyone. Lots of people regularly portscan the entire internet these days. It’s been possible for regular people to do that for over 5 years now.
I used to log all the blocked connections from my modem… IPs from every country would show up…
Hense I mention Shodan, and surely every AV company, half-baked security firm and ‘lone wolf’ researchers would contribute to this. But interestingly I think I have it narrowed down to the same place in Russia, maybe a legit firm as they have a very healthy security industry (not just blackhats).
@Baz yep, IMO I open myself up to being a more targetted IP to scan because I have a web server. I think when ‘initial’ scans are run and its seen that http, https and email ports are open, that IP becomes of more interest. If they are looking at the server OS and what I’m running ontop of it, I’m sure its an appealing target to recruit into a botnet.
Welp, kudos to A3sec, their dashboard is good, and the field extraction and tagging is 1337. I added the missile app into the mix just to have the super cool norse map like look on my dashboard. To think all of this is free- what a time to be alive.