[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: ipchains log (62459 UDP port)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pedro;

If you go to http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

You will find that port 4000 is a Trojan called Skydance and port
62459 is not listed. (I would suspect that it hasn't been added to the
list yet or perhaps the user of the Trojan altered the port it uses.

Nick Nanos

- -----Original Message-----
From: Pedro Zorzenon Neto [mailto:pzn@terra.com.br]
Sent: Wednesday, April 11, 2001 10:07 AM
To: debian-security@lists.debian.org
Subject: ipchains log (62459 UDP port)


Hi,

I'd like to know to which service these packets belong. I got if from
ipchains kernel log in my machine:

Apr 11 12:43:10 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=93 S=0x00 I=8195 F=0x4000
T=240 (#12)
Apr 11 12:43:22 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=8196 F=0x4000
T=240 (#12)
Apr 11 12:44:08 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=65485 F=0x4000
T=240 (#12)
Apr 11 12:44:32 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65486 F=0x4000
T=240 (#12)
Apr 11 12:44:38 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65487 F=0x4000
T=240 (#12)
... and some more like these...

When I seek this port I get:
#nmap -sU -p 62459 -v localhost
WARNING:  -sU is now UDP scan -- for TCP FIN scan use -sF
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com,
www.insecure.org/nmap/)
Host localhost (127.0.0.1) appears to be up ... good.
Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost
(127.0.0.1)
The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports.
No ports open for host localhost (127.0.0.1)
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

looking about the other IP:
- ----
$ whois 205.188.153.99
America Online, Inc (NETBLK-AOL-DTC)
22080 Pacific Blvd
Sterling, VA 20166
US
- ----
I wasn't accessing any page from AOL at the time this log was
written...

Is there anything unsafe in my system??? anything to worry about?

  Thanks in advance,

  Pedro


- --  
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBOtRxjqMRGat91zK1EQKI0ACfYSjR2QWD0OTEhYysm8LD49CpYUMAoPFj
TDrxSYSwH35Vu6qhPs+qZe+V
=TSiL
-----END PGP SIGNATURE-----
Reply to: