Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Request for Packets: Port 15454 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Request for Packets: Port 15454

Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise.  It popped up on the experimental trends report ( yesterday.  Fellow handler Richard Porter thought it sounded like a "debugger port for an App" and after a quick jaunt to The Googles he returned with an old report that this port opens up when the Clound9 IDE is doing its thing. (Source:

We're curious if that initial guess is correct or not.  Are you seeing this as well?  Any pattern to the source or interesting tool marks.  Or better yet: Got Packets?

If so, hits us up on the contact form:



Looking at my own sensors, I see one source  It was looking for ports in the 15000 range.  So looking at the DSHield logs for port 15453 port 15455  port 15456 around 15454 you see a similar uptick.  IN additon to the 15000 ports it was also hitting 22.

Kevin Liston

292 Posts
ISC Handler
Jul 18th 2018
Hey Kevin! Yeah, I see the same IP. And searching my logs for that IP, I see it's probing lots of ports, but only one packet per port, and probably longer than the last 30 days. In my case they were all blocked because that IP is in the CINS-Bad-Guys list which my firewall uses (amongst others) to block bad actors. So I suspect that this one IP isn't doing anything specific to the uptick, I suspect they're just scanning all ports on a given IP...

But that's just a hunch...

133 Posts
I have packets & will glady reach out.

2 Posts
Is there any context around the IP other than some port probing?

Sign Up for Free or Log In to start participating in the conversation!