Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 7530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

udp port 41255

lenyick

Is anyone seen increase from udp:53 to udp:41255 

srcip="65.111.165.141" dstip="xxx.xxx.xxx.xxx" proto="17" length="537" tos="0x00" prec="0x00" ttl="120" srcport="53" dstport="41255
srcip="95.0.160.245" dstip="xxx.xxx.xxx.xxx" proto="17" length="511" tos="0x00" prec="0x00" ttl="239" srcport="53" dstport="41255"
srcip="184.0.100.230" dstip="xxx.xxx.xxx.xxx" proto="17" length="144" tos="0x00" prec="0x00" ttl="50" srcport="53" dstport="41255"
srcip="176.10.42.70" dstip="xxx.xxx.xxx.xxx" proto="17" length="221" tos="0x00" prec="0x00" ttl="52" srcport="53" dstport="41255"
srcip="82.142.177.250" dstip="xxx.xxx.xxx.xxx" proto="17" length="72" tos="0x00" prec="0x00" ttl="244" srcport="53" dstport="41255"
srcip="93.157.14.65" dstip="xxx.xxx.xxx.xxx" proto="17" length="217" tos="0x00" prec="0x00" ttl="51" srcport="53" dstport="41255"
srcip="212.85.249.132" dstip="xxx.xxx.xxx.xxx" proto="17" length="82" tos="0x00" prec="0x00" ttl="56" srcport="53" dstport="41255"
srcip="69.70.213.250" dstip="xxx.xxx.xxx.xxx" proto="17" length="130" tos="0x00" prec="0x00" ttl="119" srcport="53" dstport="41255"

was checking the log and it's filled with listed above  live log is showing a lot of connection attempt. 

Is their a command that i can run to get more information about the connection



This thread was automatically locked due to age.
  • 0

    Hi, and welcome to the UTM Community!

    That looks like it could be a cache-poisoning attempt. Please show one complete line from the log file, not just a portion.

    Cheers - Bob

  • 0 in reply to BAlfson

    2016:03:17-01:30:36 NXT1 ulogd[4737]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth1" srcmac="00:20:14:27:19:da" dstmac="00:12:40:32:05:0A" srcip="175.139.193.137" dstip="XXX.XXX.XXX.XXX" proto="17" length="62" tos="0x00" prec="0x00" ttl="57" srcport="53" dstport="41255"


    2016:03:18-07:35:06 NXT1 ulogd[4737]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth1" srcmac="00:20:14:27:19:da" dstmac="00:12:40:32:05:0A" srcip="209.35.196.88" dstip="XXX.XXX.XXX.XXX" proto="17" length="70" tos="0x00" prec="0x00" ttl="121" srcport="53" dstport="41255"

  • 0 in reply to lenyick

    The first packet was from Malaysia and the second from Atlanta, Georgia in the USA.  Apparently, you're blocking those countries.  I wonder if the IP from the USA wasn't mis-categorized and is really from elsewhere, but the one from Malaysia definitely fits the pattern of an uninvited DNS response.

    Cheers - Bob