RE: UDP Port 137 - Now TCP Port 143

["Burgess, John (EDS)" <jburgess () railtex com>]

FYI.  I did some further checking of my logs (thanks to Randi for the
pointer to rfc1700 - I hadn't looked at those in a long time), it seems
there were some probes on ports 110, 111, 137, 635??? and 143 from
various domains.  I checked CERT and there is an old advisory on a Sun
RPC exploit on port 111.  Since I don't believe this could be
accidental, I contacted the registered owner of the domain where that
traffic originated from and sure enough, his DNS server has been
compromised.  It seems all his log files have been wiped clean this
AM.....

-----Original Message-----
From: Burgess, John (EDS) 
Sent: Friday, February 05, 1999 4:26 PM
To: 'firewall-wizards () nfr net'
Subject: UDP Port 137 - Now TCP 143


Thanks to all who responded regarding UDP port 137.  I learned some
interesting facts.  I got a new one this morning.  Does anyone know why
would someone/something be hitting TCP port 143?  This was at 2:30 AM
from bay-030-b5.codetel.net.do (206.105.238.30 - Dominican Republic - a
router?) Protocol=TCP Port 2734->143?

JB