('binary' encoding is not supported, stored as-is) In-Reply-To: <20021026093047.GA30704at_private> After detailed investigation, I've found that it is really caused by PHP debugger. All packet disappeared after I have turned off the debugging feature of PHP. But what caused the PHP debugging to remotely sending information out ? Is it a sign of hacker or actually there are some bugs with the PHP programs ? Coz I am running squirrel mail on that mail server. >Received: (qmail 17458 invoked from network); 26 Oct 2002 21:21:22 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 26 Oct 2002 21:21:22 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 284B88F28C; Sat, 26 Oct 2002 14:03:19 -0600 (MDT) >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 11258 invoked from network); 26 Oct 2002 08:54:42 -0000 >Date: Sat, 26 Oct 2002 09:30:47 +0000 >From: Luis Bruno <lbrunoat_private> >To: incidentsat_private >Subject: Re: Keep connecting to remote host on port 7869 >Message-ID: <20021026093047.GA30704at_private> >Mail-Followup-To: incidentsat_private >References: <20021025030417.1973.qmailat_private> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >In-Reply-To: <20021025030417.1973.qmailat_private> >User-Agent: Mutt/1.3.28i >X-Warning: Personal opinions beyond this line. >X-Message-Flag: When your hammer is C++, everything begins to look like a thumb. >X-Send-Missiles-To: Viseu, Portugal - UTM 29T 629481 E 4511776 N - 576m > >Frank Cheong wrote: >> My redhat linux mail host keeps connecting to other remote host quite >> frequently on remote port 7869. >> [snip] >> Below is the firewall log (IP address being modified) : >> >> 10/23/2002 11:13:36.640 - TCP connection dropped - >> Source:123.123.123.123, 51321, LAN - >> Destination:234.234.234.234, 7869, WAN - Type: 786 - >> Rule 66 > >If your frewall drops the connection thru a TCP RST, change it so that >it silently drops the packets. This will make the linux box hang waiting >for a timeout. > >Then execute: > > netstat -tanp | grep <port> > >on the linux box, where <port> is the source port you see in the Source: >line on your firewall logs. > >-------------------------------------------------------------------------- -- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 27 2002 - 18:26:17 PST