Re: ipchains log (62459 UDP port)
- To: debian-security@lists.debian.org
- Subject: Re: ipchains log (62459 UDP port)
- From: Pedro Zorzenon Neto <pzn@terra.com.br>
- Date: Wed, 11 Apr 2001 15:02:58 -0300
- Message-id: <20010411150258.D383@mantis.autsens.localnet>
- Reply-to: pzn@terra.com.br
- In-reply-to: <9D0B1828EA4DD411AD170050BAB3A0EB5DE270@kodiak>; from nick@itactics.com on Wed, Apr 11, 2001 at 11:00:30AM -0400
- References: <9D0B1828EA4DD411AD170050BAB3A0EB5DE270@kodiak>
I discovered what it was.
205.188.153.99 is one of mirabilis icq servers.
The logs were the packets of the messages that I received in GnomeICU :-)
Now I think there isn't much to worry about...
Sorry for asking such a stupid question.
Pedro
On Wed, Apr 11, 2001 at 11:00:30AM -0400, Nick Nanos wrote:
>
> Pedro;
>
> If you go to http://www.sans.org/newlook/resources/IDFAQ/oddports.htm
>
> You will find that port 4000 is a Trojan called Skydance and port
> 62459 is not listed. (I would suspect that it hasn't been added to the
> list yet or perhaps the user of the Trojan altered the port it uses.
>
> Nick Nanos
>
> - -----Original Message-----
> From: Pedro Zorzenon Neto [mailto:pzn@terra.com.br]
> Sent: Wednesday, April 11, 2001 10:07 AM
> To: debian-security@lists.debian.org
> Subject: ipchains log (62459 UDP port)
>
>
> Hi,
>
> I'd like to know to which service these packets belong. I got if from
> ipchains kernel log in my machine:
>
> Apr 11 12:43:10 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
> 205.188.153.99:4000 200.183.58.81:62459 L=93 S=0x00 I=8195 F=0x4000
> T=240 (#12)
> Apr 11 12:43:22 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
> 205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=8196 F=0x4000
> T=240 (#12)
> Apr 11 12:44:08 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
> 205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=65485 F=0x4000
> T=240 (#12)
> Apr 11 12:44:32 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
> 205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65486 F=0x4000
> T=240 (#12)
> Apr 11 12:44:38 milho kernel: Packet log: input ACCEPT eth1 PROTO=17
> 205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65487 F=0x4000
> T=240 (#12)
> ... and some more like these...
>
> When I seek this port I get:
> #nmap -sU -p 62459 -v localhost
> WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF
> Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com,
> www.insecure.org/nmap/)
> Host localhost (127.0.0.1) appears to be up ... good.
> Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost
> (127.0.0.1)
> The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports.
> No ports open for host localhost (127.0.0.1)
> Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
>
> looking about the other IP:
> - ----
> $ whois 205.188.153.99
> America Online, Inc (NETBLK-AOL-DTC)
> 22080 Pacific Blvd
> Sterling, VA 20166
> US
> - ----
> I wasn't accessing any page from AOL at the time this log was
> written...
>
> Is there anything unsafe in my system??? anything to worry about?
>
> Thanks in advance,
>
> Pedro
Reply to: