Re: Port 17889 - new attack?

From: Christian Sarmoria (cgsarmorat_private)
Date: Tue Oct 09 2001 - 09:07:05 PDT

  • Next message: Dave Dittrich: "Re: repeated zone transfer denied"

    Could be Netlet, on its default configuration, since Netlet server listens
    on ports 9877 and 9878, and connects to ports 17888 and 17889 on the
    intranet server 'intra-serv', respectively.
    
    Although it could be something else out there connecting to your machine on
    port 17889, you can take a look at Netlet (iPlanet Portal Server too) at:
    http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm
    It's quite long, but do a 'find' for '17889' in the loaded web page to go to
    the relevant part of the document.
    Good luck.
    
    Christian.
    
    
    
    ----- Original Message -----
    From: "James Willmore" <jwillmoreat_private>
    To: <focus-virusat_private>; <incidentsat_private>;
    <SECURITY-BASICSat_private>
    Sent: Tuesday, October 09, 2001 1:51 AM
    Subject: Port 17889 - new attack?
    
    
    > This is an email sent to me by SWATCH.  I've gotton quite a few of these
    packets from various sources.  What is this??  Although I have dropped the
    packet, I wonder what this is.
    >
    > Any ideas, thoughts, answers are welcomed.
    >
    > Thanks.
    >
    > Begin forwarded message:
    >
    > Date: Tue, 9 Oct 2001 01:34:22 -0400
    > From: root <root@xxxx>
    > To: root@xxxx
    > Subject: 'SWATCH - Droped packet'
    >
    >
    > Oct  9 01:34:15 xxxx kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
    SRC=172.180.19.4 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63493 DF
    PROTO=TCP SPT=21027 DPT=17889 WINDOW=8192 RES=0x00 SYN URGP=0
    >
    >
    > --
    > Jim Willmore
    > jwillmoreat_private
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 09:09:37 PDT