- Use Case Reference : SUC014
- Use Case Title : Static source port 12200/TCP
- Use Case Detection : Firewall logs / IDS
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : Unknown
- Source IP(s) : Random
- Source Countries : Random, but most of them from China
- Source Port(s) : 12200/TCP
- Destination Port(s) : 1080/TCP, 2479/TCP, 3128/TCP, 3246/TCP, 8080/TCP, 9415/TCP, 9090/TCP
Possible(s) correlation(s) :
- Proxy finder bot
Source(s) :
- [Dshield] Interesting scans
- Emerging Threats “Known Compromised Hosts”
- Dshield “Recommended Block List”
Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.
