Re: Port 17889 - new attack?

From: James Willmore (jwillmoreat_private)
Date: Wed Oct 10 2001 - 22:37:27 PDT

  • Next message: Thomas Whipp: "really odd traffic"

    As of the writing of this email, I have not seen anymore of these packets.
    
    However, would this theory hold true if the servers (5 that I saw and emailed the admins of) on different subnets all sent packets at generally the same time?
    
    Does this portal act as a distributed network - allowing many servers communicate at the same time?  I take it that since it's an ecommerce portal, that maybe all these servers need to reconcile books at the same time?
    
    On Tue, 9 Oct 2001 12:07:05 -0400
    "Christian Sarmoria" <cgsarmorat_private> wrote:
    
    > Could be Netlet, on its default configuration, since Netlet server listens
    > on ports 9877 and 9878, and connects to ports 17888 and 17889 on the
    > intranet server 'intra-serv', respectively.
    > 
    > Although it could be something else out there connecting to your machine on
    > port 17889, you can take a look at Netlet (iPlanet Portal Server too) at:
    > http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm
    > It's quite long, but do a 'find' for '17889' in the loaded web page to go to
    > the relevant part of the document.
    > Good luck.
    > 
    > Christian.
    > 
    > 
    > 
    > ----- Original Message -----
    > From: "James Willmore" <jwillmoreat_private>
    > To: <focus-virusat_private>; <incidentsat_private>;
    > <SECURITY-BASICSat_private>
    > Sent: Tuesday, October 09, 2001 1:51 AM
    > Subject: Port 17889 - new attack?
    > 
    > 
    > > This is an email sent to me by SWATCH.  I've gotton quite a few of these
    > packets from various sources.  What is this??  Although I have dropped the
    > packet, I wonder what this is.
    > >
    > > Any ideas, thoughts, answers are welcomed.
    > >
    > > Thanks.
    > >
    > > Begin forwarded message:
    > >
    > > Date: Tue, 9 Oct 2001 01:34:22 -0400
    > > From: root <root@xxxx>
    > > To: root@xxxx
    > > Subject: 'SWATCH - Droped packet'
    > >
    > >
    > > Oct  9 01:34:15 xxxx kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
    > SRC=172.180.19.4 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63493 DF
    > PROTO=TCP SPT=21027 DPT=17889 WINDOW=8192 RES=0x00 SYN URGP=0
    > >
    > >
    > > --
    > > Jim Willmore
    > > jwillmoreat_private
    > >
    > > --------------------------------------------------------------------------
    > --
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    
    
    -- 
    Jim Willmore
    jwillmoreat_private
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:13:22 PDT