Re: Port 17889 - new attack?

From: James Willmore (jwillmoreat_private)
Date: Wed Oct 10 2001 - 22:37:27 PDT

Next message: Thomas Whipp: "really odd traffic"

Previous message: Vince Sola: "RE: HTTP Probe by Webserver"
In reply to: Christian Sarmoria: "Re: Port 17889 - new attack?"
Next in thread: Arta: "Re: Port 17889 - new attack?"
Reply: Arta: "Re: Port 17889 - new attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As of the writing of this email, I have not seen anymore of these packets.

However, would this theory hold true if the servers (5 that I saw and emailed the admins of) on different subnets all sent packets at generally the same time?

Does this portal act as a distributed network - allowing many servers communicate at the same time?  I take it that since it's an ecommerce portal, that maybe all these servers need to reconcile books at the same time?

On Tue, 9 Oct 2001 12:07:05 -0400
"Christian Sarmoria" <cgsarmorat_private> wrote:

> Could be Netlet, on its default configuration, since Netlet server listens
> on ports 9877 and 9878, and connects to ports 17888 and 17889 on the
> intranet server 'intra-serv', respectively.
> 
> Although it could be something else out there connecting to your machine on
> port 17889, you can take a look at Netlet (iPlanet Portal Server too) at:
> http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm
> It's quite long, but do a 'find' for '17889' in the loaded web page to go to
> the relevant part of the document.
> Good luck.
> 
> Christian.
> 
> 
> 
> ----- Original Message -----
> From: "James Willmore" <jwillmoreat_private>
> To: <focus-virusat_private>; <incidentsat_private>;
> <SECURITY-BASICSat_private>
> Sent: Tuesday, October 09, 2001 1:51 AM
> Subject: Port 17889 - new attack?
> 
> 
> > This is an email sent to me by SWATCH.  I've gotton quite a few of these
> packets from various sources.  What is this??  Although I have dropped the
> packet, I wonder what this is.
> >
> > Any ideas, thoughts, answers are welcomed.
> >
> > Thanks.
> >
> > Begin forwarded message:
> >
> > Date: Tue, 9 Oct 2001 01:34:22 -0400
> > From: root <root@xxxx>
> > To: root@xxxx
> > Subject: 'SWATCH - Droped packet'
> >
> >
> > Oct  9 01:34:15 xxxx kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
> SRC=172.180.19.4 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63493 DF
> PROTO=TCP SPT=21027 DPT=17889 WINDOW=8192 RES=0x00 SYN URGP=0
> >
> >
> > --
> > Jim Willmore
> > jwillmoreat_private
> >
> > --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com


-- 
Jim Willmore
jwillmoreat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Thomas Whipp: "really odd traffic"
Previous message: Vince Sola: "RE: HTTP Probe by Webserver"
In reply to: Christian Sarmoria: "Re: Port 17889 - new attack?"
Next in thread: Arta: "Re: Port 17889 - new attack?"
Reply: Arta: "Re: Port 17889 - new attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:13:22 PDT