Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Excessive hits on port 15783?

    General pfSense Questions
    3
    6
    1208
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dillbilly
      last edited by

      I've been keeping an eye on my firewall logs lately, and have noticed that I'm getting TCP requests on port 15783 constantly, and from multiple sources (it's almost 650 since I started keeping track two days ago).  The only thing I can find that has any documented use of this port is RemoteMonkeyServer for MediaMonkey.  I've never used MediaMonkey, and know nothing about it.  Are people just scanning IP ranges for available servers to get music from or is this something I should keep a closer eye on?  I have noticed that an disproportionately high number of them are coming from edu addresses.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Is your WAN IP dynamic?
        The most likely reason for this is someone else had your current IP and was running a service on that port. 650 hits in two days is not that many so it's unlikely to have been a torrent server for example.

        Steve

        1 Reply Last reply Reply Quote 0
        • D
          dillbilly
          last edited by

          Yes, it's dynamic, but I've had two different ones with the same activity on that port.  And it's not 650 hits, it's 650 different sources.  Just seemed odd, and I couldn't find much info on anything that might be on that port.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Ah ok. That's a much bigger number then.
            If it's happened after you switch dynamic ips that suggests it's either something in your network advertising itself on that port 9r it's your ISP doing it (or something immediately up stream).
            Port numbers that high are rarely fixed so I would expect it could be any application really.

            Steve

            1 Reply Last reply Reply Quote 0
            • D
              dillbilly
              last edited by

              Is there any way to figure out what might be advertising itself on that port?  The traffic is being blocked, but the stats are somewhat concerning (reset yesterday morning):

              Destination Ports data
              TCP/15783 967
              TCP/80: http 250
              UDP/67: bootps 53
              TCP/443: https 51
              TCP/54321 13
              Other 114

              No torrents, no other P2P programs, and with (another) fresh IP address as of yesterday.

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                @dillbilly:

                Is there any way to figure out what might be advertising itself on that port?

                Traffic doesn't necessarily result from something "advertising itself" on the port. For example, some might "probe" a range of IP addresses on a particular port looking for a systems that responds. Or you might have a dynamic IP address which was recently used by a system providing a service on that port.

                Do you see a range of IP addresses accessing the port in question?  Do you see the accesses in the firewall log?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post