As of the writing of this email, I have not seen anymore of these packets. However, would this theory hold true if the servers (5 that I saw and emailed the admins of) on different subnets all sent packets at generally the same time? Does this portal act as a distributed network - allowing many servers communicate at the same time? I take it that since it's an ecommerce portal, that maybe all these servers need to reconcile books at the same time? On Tue, 9 Oct 2001 12:07:05 -0400 "Christian Sarmoria" <cgsarmorat_private> wrote: > Could be Netlet, on its default configuration, since Netlet server listens > on ports 9877 and 9878, and connects to ports 17888 and 17889 on the > intranet server 'intra-serv', respectively. > > Although it could be something else out there connecting to your machine on > port 17889, you can take a look at Netlet (iPlanet Portal Server too) at: > http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm > It's quite long, but do a 'find' for '17889' in the loaded web page to go to > the relevant part of the document. > Good luck. > > Christian. > > > > ----- Original Message ----- > From: "James Willmore" <jwillmoreat_private> > To: <focus-virusat_private>; <incidentsat_private>; > <SECURITY-BASICSat_private> > Sent: Tuesday, October 09, 2001 1:51 AM > Subject: Port 17889 - new attack? > > > > This is an email sent to me by SWATCH. I've gotton quite a few of these > packets from various sources. What is this?? Although I have dropped the > packet, I wonder what this is. > > > > Any ideas, thoughts, answers are welcomed. > > > > Thanks. > > > > Begin forwarded message: > > > > Date: Tue, 9 Oct 2001 01:34:22 -0400 > > From: root <root@xxxx> > > To: root@xxxx > > Subject: 'SWATCH - Droped packet' > > > > > > Oct 9 01:34:15 xxxx kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= > SRC=172.180.19.4 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63493 DF > PROTO=TCP SPT=21027 DPT=17889 WINDOW=8192 RES=0x00 SYN URGP=0 > > > > > > -- > > Jim Willmore > > jwillmoreat_private > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com -- Jim Willmore jwillmoreat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:13:22 PDT