Just a little help needed here. I've been seeing a lot of traffic with a source port of 5635 and a destination port of 0. Searching on google yields no significant results. There were two forums that asked the same question and haven't yet gotten an answer. I asked the posters for more information and if there problems had been resolved but I haven't gotten a response yet. So, any help and or insight would be much appreciated. Here's an excerpt from my logs: Time,Source Addr,Source Port,Dest Addr,Dest Port,TCP/UDP,TCP Flags ,,,,,, 6/28/01 15:41,208.33.170.61 (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP, 6/28/01 15:41,208.33.170.61 (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,fin rst psh 6/28/01 16:55,63.254.34.74 (A010- 0074.FRDK.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn psh 6/28/01 17:50,208.33.170.154 (cvxp154.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,rst 6/29/01 0:04,63.252.82.9 (A010- 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst psh ack urg 6/29/01 0:04,63.252.82.9 (A010- 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst 6/29/01 0:04,63.252.82.9 (A010- 0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,rst urg 6/29/01 7:26,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:26,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:26,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:26,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:26,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:27,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:28,63.255.89.15 (A010- 0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,psh urg 6/29/01 7:34,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:34,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:34,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:34,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg 6/29/01 7:35,209.156.206.217 (A020- 0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg The TCP flags are varied. I know it's not indicated here but I didn't want to send the entire list of attempts. There server that these IP's are destined for happens to be a HTTPS server. And these IP's have also established full connections with the server. So I'm not sure if this is an attack or some wacky software mis- configuration. Again, any help and or insight would be appreciated. Thanks in advance. -Rick -------------------------------------- FREE ANONYMOUS EMAIL! Sign up now. http://www.subdimension.com/freemail ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 09:22:33 PDT