Security Basics mailing list archives
Re: Probs on port 3123
From: chort <chort () amaunetsgothique com>
Date: Fri, 13 Jun 2003 09:16:10 -0700 (PDT)
Learn to ignore it. I've had several broadband providers and I always make sure to keep my logview running when my workstation is on (one of these days I'll import the MIBs to my Linux box so I'll have real logging). Any way, the point is I get never-ending streams of attempted IIS exploits, SQL exploits, etc. As long as the firewall is dropping the connection you have nothing to worry about. The stuff you *do* have to worry about is unexplained traffic to ports you are running services on. Snort is considered to be a pretty good free NIDS that you could deploy if you're concerned about watching your services. -- -chort On Fri, 13 Jun 2003, Dominick.S wrote:
Hi Again: Sorry for over-reacting yesterday, this is an email I received this morning, from the host I contacted yesterday. ---------------------------------------------------------------------------- ----------- Hello, The log you sent showed connections between port 3123 and port 2650 on 66.135.130.125. Port 2650 on 66.135.130.125 is a KaZaA supernode: # telnet 66.135.130.125 2650 Trying 66.135.130.125... Connected to 66.135.130.125. Escape character is '^]'. GET / HTTP/1.0 501 Not Implemented X-Kazaa-Username: TimX44 X-Kazaa-Network: KaZaA X-Kazaa-IP: 66.135.130.125:2650 Connection closed by foreign host. # You might want to check, as chances are you are infact running KaZaA without your knowledge and it's simply talking to a supernode. We will not be investigating this further. ---------------------------------------------------------------------------- ------------- Hmm.. Ok, I have my home network, none of the PC's run kazaa (im 100% sure) None of my PC's are listening on port 3123. I was just assigned a new IP address from my cable company few days ago. Im thinking maybe this IP was running kazaa or whatever in the past or a supernode.. We see him telnet in to the "IP" that's probing me, and its something to do with kazaa, But what does that have to do with that IP probing me on port 3123 every few minutes... As you can see im still being probed from all angles. 2003-06-13 09:08:51 Dropping ICMP error message. Original UDP from 81.57.64.78:3870 to my.ip.addy:3123 192.168.1.2 81.57.64.78 3/ICMP 2003-06-13 08:47:02 Dropping ICMP error message. Original UDP from 24.150.92.85:1467 to my.ip.addy:3123 192.168.1.2 24.150.92.85 3/ICMP 2003-06-13 08:30:32 Dropping ICMP error message. Original UDP from 81.57.64.78:3870 to my.ip.addy:3123 192.168.1.2 81.57.64.78 3/ICMP 2003-06-13 08:04:32 Dropping ICMP error message. Original UDP from 81.224.51.188:2730 to my.ip.addy:3123 192.168.1.2 81.224.51.188 3/ICMP 2003-06-13 07:39:30 Dropping ICMP error message. Original UDP from 213.113.9.85:3125 to my.ip.addy:3123 192.168.1.2 213.113.9.85 3/ICMP 2003-06-13 07:25:13 Dropping ICMP error message. Original UDP from 81.57.64.78:3870 to my.ip.addy:3123 192.168.1.2 81.57.64.78 3/ICMP 2003-06-13 07:03:44 Dropping ICMP error message. Original UDP from 213.113.9.85:3125 to my.ip.addy:3123 192.168.1.2 213.113.9.85 3/ICMP 2003-06-13 06:20:25 Dropping ICMP error message. Original UDP from 213.113.9.85:3125 to my.ip.addy:3123 192.168.1.2 213.113.9.85 3/ICMP 2003-06-13 05:25:41 Dropping ICMP error message. Original UDP from 141.161.140.75:2687 to my.ip.addy:3123 192.168.1.2 141.161.140.75 3/ICMP 2003-06-13 04:56:01 Dropping ICMP error message. Original UDP from 212.118.86.86:1813 to my.ip.addy:3123 192.168.1.2 212.118.86.86 3/ICMP 2003-06-13 04:37:52 Dropping ICMP error message. Original UDP from 24.163.60.116:3446 to my.ip.addy:3123 192.168.1.2 24.163.60.116 3/ICMP 2003-06-13 04:17:16 Dropping ICMP error message. Original UDP from 212.118.86.86:1813 to my.ip.addy:3123 192.168.1.2 212.118.86.86 3/ICMP ---------------------------------------------------------------------------- ----------------- Thanks for the help List!! --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: Probs on port 3123 Dominick.S (Jun 13)
- Re: Probs on port 3123 chort (Jun 13)
- Re: Probs on port 3123 Patrick Boucher (Jun 13)
- Re: Probs on port 3123 chort (Jun 13)