-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not exactly an incident (after checking it out), but it appears the LinkSys cable router logging tool dynamically opens TCP & UDP low ephemeral ports to connect w/ it's directory...which I didn't tell it so the path for "put"-ing the log append is in the traffic. PRESUMING the LinkSys does it's job ("warning, Will Robinson!"), that won't be seen outside unless the logging machine is also the DMZ or exposed by forwarding (dumb). Note listening ports associated w/ LinkSys Log Viewer (from IOS 1.33.1 & usable in all subsequent IOS versions): BEFORE Log Viewer active: C:\WINDOWS>netstat -an Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:110 0.0.0.0:0 LISTENING TCP 192.168.205.2:137 0.0.0.0:0 LISTENING TCP 192.168.205.2:138 0.0.0.0:0 LISTENING TCP 192.168.205.2:139 0.0.0.0:0 LISTENING UDP 192.168.205.2:137 *:* UDP 192.168.205.2:138 *:* AFTER Log Viewer active: C:\WINDOWS>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:162 0.0.0.0:0 LISTENING TCP 0.0.0.0:1271 0.0.0.0:0 LISTENING TCP 127.0.0.1:110 0.0.0.0:0 LISTENING TCP 127.0.0.1:1269 127.0.0.1:110 TIME_WAIT TCP 192.168.xxx.xxx:137 0.0.0.0:0 LISTENING TCP 192.168.xxx.xxx:138 0.0.0.0:0 LISTENING TCP 192.168.xxx.xxx:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:162 *:* UDP 0.0.0.0:1271 *:* UDP 192.168.xxx.xxx:137 *:* UDP 192.168.xxx.xxx:138 *:* BOTH TCP and UDP ports 162 and a low ephemeral (in this case 1271, but have seen others based on what's next in the queue) are used. 162, is of course the SNMP trap which is used for the LinkSys logger. 1271 (etc.) appears to be the log reporting/update/append port. This is "normal behavior" with the log viewer enabled. It's also another darned port opened, w/ dynamic assignment no less, that bears watching. Bob Hillery, GSEC, GCIA, etc... Quis custodiet ipsos custodes ? -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBO2Sm4eJ71YwUI+1rEQJf4ACg83uqFHU7Ggf07FIl81Ul+MQOSuEAn2LQ SxtbbldwV+Ffa7uSwpBOBpEl =7CVX -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 10:54:27 PDT