Could be Netlet, on its default configuration, since Netlet server listens on ports 9877 and 9878, and connects to ports 17888 and 17889 on the intranet server 'intra-serv', respectively. Although it could be something else out there connecting to your machine on port 17889, you can take a look at Netlet (iPlanet Portal Server too) at: http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm It's quite long, but do a 'find' for '17889' in the loaded web page to go to the relevant part of the document. Good luck. Christian. ----- Original Message ----- From: "James Willmore" <jwillmoreat_private> To: <focus-virusat_private>; <incidentsat_private>; <SECURITY-BASICSat_private> Sent: Tuesday, October 09, 2001 1:51 AM Subject: Port 17889 - new attack? > This is an email sent to me by SWATCH. I've gotton quite a few of these packets from various sources. What is this?? Although I have dropped the packet, I wonder what this is. > > Any ideas, thoughts, answers are welcomed. > > Thanks. > > Begin forwarded message: > > Date: Tue, 9 Oct 2001 01:34:22 -0400 > From: root <root@xxxx> > To: root@xxxx > Subject: 'SWATCH - Droped packet' > > > Oct 9 01:34:15 xxxx kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=172.180.19.4 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63493 DF PROTO=TCP SPT=21027 DPT=17889 WINDOW=8192 RES=0x00 SYN URGP=0 > > > -- > Jim Willmore > jwillmoreat_private > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 09:09:37 PDT