I noticed one of my clients' machines seeing a lot more traffic than normal. tcpdump on the firewall got me stuff like: 13:27:20.932382 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: . 487424:488884(1460) ack 1 win 17520 (DF) 13:27:20.932530 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: . 487424:488884(1460) ack 1 win 17520 (DF) 13:27:20.933615 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: . 488884:490344(1460) ack 1 win 17520 (DF) 13:27:20.933757 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: . 488884:490344(1460) ack 1 win 17520 (DF) 13:27:20.934845 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: P 490344:491804(1460) ack 1 win 17520 (DF) 13:27:20.934983 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: P 490344:491804(1460) ack 1 win 17520 (DF) 13:27:20.936076 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: . 491804:493264(1460) ack 1 win 17520 (DF) 13:27:20.936214 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: . 491804:493264(1460) ack 1 win 17520 (DF) 13:27:20.936835 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: P 494724:495616(892) ack 1 win 17520 (DF) 13:27:20.936968 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: P 494724:495616(892) ack 1 win 17520 (DF) And: 13:27:21.224434 eth0 < gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: . 432432:433892(1460) ack 1 win 17520 (DF) 13:27:21.224585 eth1 > gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: . 432432:433892(1460) ack 1 win 17520 (DF) 13:27:21.225191 eth0 < gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: P 433892:434784(892) ack 1 win 17520 (DF) 13:27:21.225324 eth1 > gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: P 433892:434784(892) ack 1 win 17520 (DF) I can't find any references to port 2800 or 4059, at least in Google. Is there a better source to search for possible intrusion attempts? nmap for hostx says: Starting nmap V. 2.53 by fyodorat_private ( www.insecure.org/nmap/ ) Interesting ports on hostx (www.xxx.yyy.zzz): (The 65512 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 99/tcp open metagram 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 808/tcp open unknown 881/tcp open unknown 1029/tcp open unknown 1081/tcp open unknown 1082/tcp open unknown 1083/tcp open ansoft-lm-1 1433/tcp open ms-sql-s 1720/tcp filtered unknown 2080/tcp open unknown 2429/tcp open unknown 4080/tcp open unknown 4899/tcp open unknown 5631/tcp open pcanywheredata 31333/tcp open unknown 44442/tcp open unknown 44443/tcp open unknown 65301/tcp open pcanywhere Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds Hostx is an NT Server 4.0 box, SP6a, running IIS, Cold Fusion, and some other webhosting-related stuff.I'm not extremely familiar with NT, so could use some thoughts here. -- John Oliver System Administrator hosting.com, an Allegiance Telecom company mailto:john.oliverat_private (858) 637-3600 http://www.hosting.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 15:00:14 PST