So i just noticed that my FW log is full of blocked traffic to port 5716 from several diffrent IP’s. I tried to look it up on google bot there is no useful info on it out there. Normally i would book it as some random port scan but this is going in for days now…
I would appriciate any info on what could it be and if i should care about it. Thanks in advance!
You would have to put a honey por on that port to take the data on that port to truly know, but it could be a port used by a botnet to find infected machines.
Take a look at https://www.anomali.com they have a subsidiary that offer an open source honey pot and look at STAXX software as well. Think Tom mentioned them on one of his Vlog Thursday casts. SANS.org would be another great source of info.
Are the knocks coming from the same IP or are they distributed across many IPs. You may want to block a range of IPs or a whole net block. Use a drop connection.
Its distributed across many IP’s, as it can be seen in the wireshark log. For now im not that worried since the FW blocked them anyway. It just poked up my curiosity, why the hell those IP’s banging on a closed, and unused port…
Ok you are ahead of the game. Some years back Steven Northcutt wrote about similar situations when he wrote the Shadow IDS while working for the Navy. It’s good to be curios never know what you may uncover.