• Use Case Reference : SUC014
  • Use Case Title : Static source port 12200/TCP
  • Use Case Detection : Firewall logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Random, but most of them from China
  • Source Port(s) : 12200/TCP
  • Destination Port(s) : 1080/TCP, 2479/TCP, 3128/TCP, 3246/TCP, 8080/TCP, 9415/TCP, 9090/TCP
Possible(s) correlation(s) :
  • Proxy finder bot

Source(s) :

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

24 hours source port 12200/TCP events

24 hours source port 12200/TCP events

1 week source port 12200 events

1 week source port 12200 events

1 month source port 12200/TCP events

1 month source port 12200/TCP events

1 year source port 12200/TCP events

1 year source port 12200/TCP events

Source port 12200 source countries repartition

Source port 12200 source countries repartition

Source port 12200 destination ports repartition

Source port 12200 destination ports repartition