('binary' encoding is not supported, stored as-is) Between 17:09 and 17:25 (MST) our firewall recorded an unusual spike in attempted connections on port 4927 (i.e., we've never recorded any traffic to this port before; to see seven different hosts connecting to it in such a short period is for us, well, unusual). I've searched as many engines as I can think of for any information regarding exploits associated with this port - unfortunately, the references I've found have been less than informative. I'm still relatively new to traffic analysis/IDS and I'd very much appreciate it if anyone could point me towards some useful information regarding this port and/or if more experienced eyes could take a quick peek - even if it's to tell me I'm being paranoid :) TIA, Joe -----BEGIN LOG ENTRIES----- Jun 19 17:09:07.430317 block in on rl1: 4.64.100.172.4662 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:09.093274 block in on rl1: 4.64.100.172.4662 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:10.467386 block in on rl1: 4.64.100.172.4662 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:12.674151 block in on rl1: 4.64.100.172.4662 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:40.217676 block in on rl1: 4.64.100.172.4688 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:42.233482 block in on rl1: 4.64.100.172.4688 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:44.998248 block in on rl1: 4.64.100.172.4688 > xxx.xxx.xxx.xxx.4927: Jun 19 17:09:48.098919 block in on rl1: 4.64.100.172.4688 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:09.946623 block in on rl1: 4.64.100.172.4704 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:12.755655 block in on rl1: 4.64.100.172.4704 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:15.022061 block in on rl1: 4.64.100.172.4704 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:17.160173 block in on rl1: 4.64.100.172.4704 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:40.131331 block in on rl1: 4.64.100.172.4725 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:42.075267 block in on rl1: 4.64.100.172.4725 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:43.883400 block in on rl1: 4.64.100.172.4725 > xxx.xxx.xxx.xxx.4927: Jun 19 17:10:46.025442 block in on rl1: 4.64.100.172.4725 > xxx.xxx.xxx.xxx.4927: Jun 19 17:11:33.545032 block in on rl1: 63.53.142.126.1805 > xxx.xxx.xxx.xxx.4927: Jun 19 17:11:34.366877 block in on rl1: 63.53.142.126.1805 > xxx.xxx.xxx.xxx.4927: Jun 19 17:11:35.152137 block in on rl1: 63.53.142.126.1805 > xxx.xxx.xxx.xxx.4927: Jun 19 17:11:35.806177 block in on rl1: 63.53.142.126.1805 > xxx.xxx.xxx.xxx.4927: Jun 19 17:13:14.232704 block in on rl1: 68.9.186.117.4347 > xxx.xxx.xxx.xxx.4927: Jun 19 17:13:15.730094 block in on rl1: 68.9.186.117.4347 > xxx.xxx.xxx.xxx.4927: Jun 19 17:13:16.894474 block in on rl1: 68.9.186.117.4347 > xxx.xxx.xxx.xxx.4927: Jun 19 17:22:50.528709 block in on rl1: 217.82.205.9.1083 > xxx.xxx.xxx.xxx.4927: Jun 19 17:22:51.268230 block in on rl1: 217.82.205.9.1083 > xxx.xxx.xxx.xxx.4927: Jun 19 17:22:51.972782 block in on rl1: 217.82.205.9.1083 > xxx.xxx.xxx.xxx.4927: Jun 19 17:22:52.692512 block in on rl1: 217.82.205.9.1083 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:02.175463 block in on rl1: 24.44.244.104.4617 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:02.737988 block in on rl1: 24.44.244.104.4617 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:03.339816 block in on rl1: 24.44.244.104.4617 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:41.084725 block in on rl1: 209.214.149.230.2509 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:44.230967 block in on rl1: 209.214.149.230.2509 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:47.681922 block in on rl1: 209.214.149.230.2509 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:53.680538 block in on rl1: 65.129.58.84.1144 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:55.049764 block in on rl1: 65.129.58.84.1144 > xxx.xxx.xxx.xxx.4927: Jun 19 17:25:56.386867 block in on rl1: 65.129.58.84.1144 > xxx.xxx.xxx.xxx.4927: -----END LOG ENTRIES----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 08:21:24 PDT