More from 194.59.120.11…


One previous post was looking at the activity recorded by IP 194.59.120.11 in our firewall logs. Since then we added this IP to the “Monitored IP addresses” section so now each entry containing 194.59.120.11 is tagged in the report with a different color and a comment (we tagged it as Deutsches Patentamt – keeps connecting… – a very clear indication of what it does). So we noticed now that it connects on TCP/8088, a port commonly used by http proxies and TCP/3080. No idea what the TCP/3080 protocol can be used for, there are no “known” applications to rely on it. The similarity to TCP/8088 may be indicate that someone keeps mispelling either the IP address of their real http proxy or (seeing that it doesn’t work) they tried to change the actual port configured for it (3080 instead of 8088). It is not unusual to see different applications installing their own webserver service as a way to provide a management interface. Can this be the case here? Or, there could be an application that queries remote agents using that port and they are trying to “discover” the wrong subnet (where our firewall resides). Strange enough, the previous day indicates just regular TCP/80 HTTP requests, one every 60 seconds. Since we don’t deny TCP/80 the IP is shown in the regular “HTTP Traffic from external hosts” report section. Maybe the administrators of that device are starting to see that something is wrong with it 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: