Re: Unusual logging

To: debian-security@lists.debian.org
Subject: Re: Unusual logging
From: Jay Kline <jay@friday.internal.dsl>
Date: Thu, 21 Mar 2002 18:12:02 -0600
Message-id: <[🔎] 20020322001203.109E960303@friday.localdomain.fake>
In-reply-to: <[🔎] FD4587B2A38BD511BA1E00E0292EBAD83F8AD6@MWXCHANGE>
References: <[🔎] FD4587B2A38BD511BA1E00E0292EBAD83F8AD6@MWXCHANGE>

What seems odd to me is the the yyy IP is originating from such a low port 
(3) which means the system is most likely not unix or windows (or at least 
not standard apps), unless using some specific application. Anyone know of 
one that does this?  

If you want to be on the lookout for port scans, check out portsentry.

Jay

On Thursday 21 March 2002 04:59 pm, petes@movieworld.com.au wrote:
> This has been appearing in our kern.log over the last 4 days. Never had a
> problem with this particular port before then. Nothing has been changed
> (AFAIK) to the system. It's Debian, we never have to touch it :-)
>
> Packet log: input DENY eth0 PROTO=1 yyy.y.yy.yy:3 xxx.xx.xxx.xxx:13 L=56
> S=0x00 I=29688 F=0x0000 T=244 (#30)
>
> It's the :13 part that I found unusual, A little research has revealed that
> it may be an attempt to fingerprint our system to see what is available. I
> was lead to believe that this is the Timeday port. Is this correct ? xxx is
> our public IP address. And yyy is the remote IP address that is making the
> contact.
>
> Many thanks for any ideas.
>
> Pete Schmidt
> Warner Village
>
>
>
>
> ###########################################################################
>##### This Communication and any files transmitted with it are intended for
> the named addressee only, are confidential in nature and may contain
> legally privileged information. The copying or distribution of this
> communication or any information it contains, by anyone other than the
> addressee or the person responsible for delivering this communication to
> the intended addressee, is prohibited. If you receive this communication in
> error, please advise us by telephone, and then delete the communication.
> You will be reimbursed for reasonable costs incurred in notifying us.
> Before you open or use any attachments first check them for viruses and
> defects. Our liability is limited to resupplying any affected attachments
> only.
> ###########################################################################
>#####

Reply to:

Follow-Ups:
- Re: Unusual logging
  - From: "Noah L. Meyerhans" <frodo@morgul.net>

References:
- Unusual logging
  - From: petes@movieworld.com.au

Prev by Date: Re: Unusual logging
Next by Date: subscribe
Previous by thread: Re: Unusual logging
Next by thread: Re: Unusual logging
Index(es):
- Date
- Thread