33270:trinity connection form port 80 to local machine on port

From: Bradley Filmer (bfilmerat_private)
Date: Wed Oct 31 2001 - 00:11:43 PST

  • Next message: Valdis.Kletnieksat_private: "Re: 33270:trinity connection form port 80 to local machine on port"

    I am curious as to what this might be, I am seeing hits in my iptables
    logs after visiting certain websites.. mainly 
    
    Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number"
    SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46
    ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN
    URGP=0
    This is netbsd.org
    
    Oct 30 11:35:47 stealth kernel: IN=eth0 OUT= MAC= "long number"
    SRC=64.58.76.98 DST=my.adr.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=48
    ID=9741 DF PROTO=TCP SPT=443 DPT=33270 WINDOW=16560 RES=0x00 ACK SYN
    URGP=0
    This is yahoo groups.
    
    Oct 31 09:01:41 stealth kernel: IN=eth0 OUT= MAC= "long number"
    SRC=204.152.186.171 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=51
    ID=23555 PROTO=TCP SPT=80 DPT=33270 WINDOW=32768 RES=0x00 ACK SYN URGP=0
    This is mysql.org
    
    Always 5 hits and I cant tell you how long after. I have checked port
    33270 trinity on my machine and the local subnet for the trinity ddos
    with nothing found. 
    Is this just a false negative or am I seeing something more ominous....
    
    Cheers for any inforamtion re-assurance
    -- 
    Bradley Filmer
    Looking for paranoia in all the right places
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 08:28:02 PST