Excessive hits on port 15783?



  • I've been keeping an eye on my firewall logs lately, and have noticed that I'm getting TCP requests on port 15783 constantly, and from multiple sources (it's almost 650 since I started keeping track two days ago).  The only thing I can find that has any documented use of this port is RemoteMonkeyServer for MediaMonkey.  I've never used MediaMonkey, and know nothing about it.  Are people just scanning IP ranges for available servers to get music from or is this something I should keep a closer eye on?  I have noticed that an disproportionately high number of them are coming from edu addresses.


  • Netgate Administrator

    Is your WAN IP dynamic?
    The most likely reason for this is someone else had your current IP and was running a service on that port. 650 hits in two days is not that many so it's unlikely to have been a torrent server for example.

    Steve



  • Yes, it's dynamic, but I've had two different ones with the same activity on that port.  And it's not 650 hits, it's 650 different sources.  Just seemed odd, and I couldn't find much info on anything that might be on that port.


  • Netgate Administrator

    Ah ok. That's a much bigger number then.
    If it's happened after you switch dynamic ips that suggests it's either something in your network advertising itself on that port 9r it's your ISP doing it (or something immediately up stream).
    Port numbers that high are rarely fixed so I would expect it could be any application really.

    Steve



  • Is there any way to figure out what might be advertising itself on that port?  The traffic is being blocked, but the stats are somewhat concerning (reset yesterday morning):

    Destination Ports data
    TCP/15783 967
    TCP/80: http 250
    UDP/67: bootps 53
    TCP/443: https 51
    TCP/54321 13
    Other 114

    No torrents, no other P2P programs, and with (another) fresh IP address as of yesterday.



  • @dillbilly:

    Is there any way to figure out what might be advertising itself on that port?

    Traffic doesn't necessarily result from something "advertising itself" on the port. For example, some might "probe" a range of IP addresses on a particular port looking for a systems that responds. Or you might have a dynamic IP address which was recently used by a system providing a service on that port.

    Do you see a range of IP addresses accessing the port in question?  Do you see the accesses in the firewall log?


Log in to reply