Que serviço usa a porta UDP 60059?

1

Recebi um email do logcheck que continha várias tentativas de conexão com a porta UDP 60059.

This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-=
Jul 29 04:42:02 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=171 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=58250 DPT=60059 LEN=151
Jul 29 04:42:03 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=171 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=58058 DPT=60059 LEN=151
Jul 29 04:42:06 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=65.75.216.14 DST=my.ip.add.ress LEN=192 TOS=0x00 PREC=0x00 TTL=119 ID=7012 PROTO=UDP SPT=1031 DPT=60059 LEN=172
Jul 29 04:42:12 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=93.193.28.53 DST=my.ip.add.ress LEN=201 TOS=0x00 PREC=0x00 TTL=110 ID=25276 PROTO=UDP SPT=62765 DPT=60059 LEN=181
Jul 29 04:42:15 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=171 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=2499 DPT=60059 LEN=151
Jul 29 04:42:15 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=87.118.106.136 DST=my.ip.add.ress LEN=218 TOS=0x00 PREC=0x00 TTL=119 ID=21989 PROTO=UDP SPT=16699 DPT=60059 LEN=198
Jul 29 04:42:18 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=64.25.177.219 DST=my.ip.add.ress LEN=151 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=55535 DPT=60059 LEN=131
Jul 29 04:42:19 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.95.131 DST=my.ip.add.ress LEN=141 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=4183 DPT=60059 LEN=121
Jul 29 04:42:23 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=180.28.163.114 DST=my.ip.add.ress LEN=103 TOS=0x00 PREC=0x00 TTL=111 ID=2050 PROTO=UDP SPT=1419 DPT=60059 LEN=83
Jul 29 04:42:32 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=87.10.109.97 DST=my.ip.add.ress LEN=144 TOS=0x00 PREC=0x00 TTL=112 ID=45314 PROTO=UDP SPT=61715 DPT=60059 LEN=124
Jul 29 04:42:32 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=96.237.240.66 DST=my.ip.add.ress LEN=111 TOS=0x00 PREC=0x00 TTL=112 ID=11398 PROTO=UDP SPT=3670 DPT=60059 LEN=91
Jul 29 04:42:34 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=67.0.76.62 DST=my.ip.add.ress LEN=97 TOS=0x00 PREC=0x00 TTL=118 ID=27883 PROTO=UDP SPT=6257 DPT=60059 LEN=77
Jul 29 04:42:37 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=46.163.65.86 DST=my.ip.add.ress LEN=199 TOS=0x00 PREC=0x00 TTL=117 ID=31816 PROTO=UDP SPT=61319 DPT=60059 LEN=179
Jul 29 04:42:38 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=95.97.106.138 DST=my.ip.add.ress LEN=211 TOS=0x00 PREC=0x00 TTL=116 ID=33070 PROTO=UDP SPT=3194 DPT=60059 LEN=191
Jul 29 04:42:41 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.182.190 DST=my.ip.add.ress LEN=200 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=48604 DPT=60059 LEN=180
Jul 29 04:42:41 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=91.121.182.190 DST=my.ip.add.ress LEN=192 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=30457 DPT=60059 LEN=172
Jul 29 04:42:41 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=91.121.182.190 DST=my.ip.add.ress LEN=192 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=50706 DPT=60059 LEN=172
Jul 29 04:42:42 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=84.19.190.64 DST=my.ip.add.ress LEN=139 TOS=0x00 PREC=0x00 TTL=56 ID=825 PROTO=UDP SPT=50758 DPT=60059 LEN=119
Jul 29 04:42:50 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=80.90.43.30 DST=my.ip.add.ress LEN=182 TOS=0x00 PREC=0x00 TTL=116 ID=30710 PROTO=UDP SPT=49846 DPT=60059 LEN=162
Jul 29 04:42:50 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=80.90.43.30 DST=my.ip.add.ress LEN=186 TOS=0x00 PREC=0x00 TTL=116 ID=30724 PROTO=UDP SPT=49856 DPT=60059 LEN=166
Jul 29 04:42:58 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=84.19.176.44 DST=my.ip.add.ress LEN=173 TOS=0x00 PREC=0x00 TTL=119 ID=12730 PROTO=UDP SPT=57695 DPT=60059 LEN=153
Jul 29 04:43:01 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=87.118.126.158 DST=my.ip.add.ress LEN=191 TOS=0x00 PREC=0x00 TTL=120 ID=30862 PROTO=UDP SPT=4822 DPT=60059 LEN=171
Jul 29 04:43:03 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=83.169.12.172 DST=my.ip.add.ress LEN=197 TOS=0x00 PREC=0x00 TTL=117 ID=29081 PROTO=UDP SPT=1641 DPT=60059 LEN=177
Jul 29 04:43:14 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=74.77.32.249 DST=my.ip.add.ress LEN=167 TOS=0x00 PREC=0x00 TTL=116 ID=30903 PROTO=UDP SPT=2112 DPT=60059 LEN=147
Jul 29 04:43:20 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=221.31.22.19 DST=my.ip.add.ress LEN=43 TOS=0x00 PREC=0x00 TTL=105 ID=2597 PROTO=UDP SPT=6257 DPT=60059 LEN=23
Jul 29 04:43:23 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=68.50.247.147 DST=my.ip.add.ress LEN=190 TOS=0x00 PREC=0x00 TTL=114 ID=25950 PROTO=UDP SPT=59025 DPT=60059 LEN=170
Jul 29 04:43:23 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:7c:75:3f:08:00 SRC=68.50.247.147 DST=my.ip.add.ress LEN=169 TOS=0x00 PREC=0x00 TTL=114 ID=25952 PROTO=UDP SPT=59027 DPT=60059 LEN=149
Jul 29 04:43:31 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=46.163.65.86 DST=my.ip.add.ress LEN=199 TOS=0x00 PREC=0x00 TTL=117 ID=12987 PROTO=UDP SPT=56856 DPT=60059 LEN=179
Jul 29 04:43:56 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=90.217.77.104 DST=my.ip.add.ress LEN=177 TOS=0x00 PREC=0x00 TTL=115 ID=14304 PROTO=UDP SPT=2711 DPT=60059 LEN=157
Jul 29 04:44:12 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=178.84.75.190 DST=my.ip.add.ress LEN=142 TOS=0x00 PREC=0x00 TTL=118 ID=41799 PROTO=UDP SPT=2844 DPT=60059 LEN=122
Jul 29 04:44:45 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=24.98.60.84 DST=my.ip.add.ress LEN=177 TOS=0x00 PREC=0x00 TTL=111 ID=2423 PROTO=UDP SPT=3968 DPT=60059 LEN=157
Jul 29 04:45:43 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=114.184.78.145 DST=my.ip.add.ress LEN=124 TOS=0x00 PREC=0x00 TTL=109 ID=8715 PROTO=UDP SPT=1262 DPT=60059 LEN=104
Jul 29 04:45:50 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=120.197.11.29 DST=my.ip.add.ress LEN=28 TOS=0x00 PREC=0x00 TTL=110 ID=19599 PROTO=ICMP TYPE=8 CODE=0 ID=299 SEQ=44068
Jul 29 04:46:14 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=114.184.78.145 DST=my.ip.add.ress LEN=124 TOS=0x00 PREC=0x00 TTL=109 ID=18607 PROTO=UDP SPT=1277 DPT=60059 LEN=104
Jul 29 04:48:34 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=79.27.22.113 DST=my.ip.add.ress LEN=109 TOS=0x00 PREC=0x00 TTL=114 ID=17010 PROTO=UDP SPT=63869 DPT=60059 LEN=89
Jul 29 04:48:34 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=79.27.22.113 DST=my.ip.add.ress LEN=105 TOS=0x00 PREC=0x00 TTL=114 ID=17013 PROTO=UDP SPT=63873 DPT=60059 LEN=85
Jul 29 04:52:04 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=193.40.58.14 DST=my.ip.add.ress LEN=165 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=16699 DPT=60059 LEN=145
Jul 29 04:52:22 myserver kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=fe:fd:42:e4:26:54:88:43:e1:a4:04:ff:08:00 SRC=193.40.58.14 DST=my.ip.add.ress LEN=165 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=16699 DPT=60059 LEN=145

Os resultados de um netstat -lnptu mostram o seguinte:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      2178/mysqld
tcp        0      0 0.0.0.0:33519           0.0.0.0:*               LISTEN      1387/rpc.statd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1375/portmap
tcp        0      0 0.0.0.0:4949            0.0.0.0:*               LISTEN      3391/munin-node
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      2193/vsftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2246/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2933/master
tcp6       0      0 :::80                   :::*                    LISTEN      748/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      2246/sshd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1859/dhclient
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1375/portmap
udp        0      0 my.ip.add.ress:123        0.0.0.0:*                           3325/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           3325/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           3325/ntpd
udp        0      0 0.0.0.0:715             0.0.0.0:*                           1387/rpc.statd
udp        0      0 0.0.0.0:57208           0.0.0.0:*                           1387/rpc.statd
udp6       0      0 ::1:123                 :::*                                3325/ntpd
udp6       0      0 fe80::fcfd:42ff:fee:123 :::*                                3325/ntpd
udp6       0      0 :::123                  :::*                                3325/ntpd

Alguém sabe o que pode ser executado nessa porta? Isso é algo que eu deveria me preocupar? Devo considerar a rejeição de conexões de entrada dos endereços IP ofensivos?

    
por Buggabill 29.07.2011 / 15:06

1 resposta

7

Não há serviço conhecido nessa porta. Será um bot ou outro que ouve naquela porta para C & C ("comando e controle"). Ou alguém estava cego procurando por instâncias existentes do bot, ou você está infectado e o malware conseguiu que o sinal "Estou aqui" fosse enviado para os C & C, mas seu firewall bloqueou as tentativas de controlar o bot . Dada a grande variedade de IPs de origem, eu estaria inclinado a pensar que é uma varredura cega distribuída.

Se estiver em andamento, um dump de pacote do tráfego provavelmente seria de grande utilidade para alguém.

    
por 29.07.2011 / 15:15