Last Updated: 2018-07-18 18:52:01 UTC
by Kevin Liston (Version: 2)
Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise. It popped up on the experimental trends report (https://isc.sans.edu/trends.html) yesterday. Fellow handler Richard Porter thought it sounded like a "debugger port for an App" and after a quick jaunt to The Googles he returned with an old report that this port opens up when the Clound9 IDE is doing its thing. (Source: https://stackoverflow.com/questions/39007572/cloud9-debugger-listening-on-port-15454)
We're curious if that initial guess is correct or not. Are you seeing this as well? Any pattern to the source or interesting tool marks. Or better yet: Got Packets?
If so, hits us up on the contact form: https://isc.sans.edu/contact
Looking at my own sensors, I see one source 18.104.22.168. It was looking for ports in the 15000 range. So looking at the DSHield logs for port 15453 port 15455 port 15456 around 15454 you see a similar uptick. IN additon to the 15000 ports it was also hitting 22.