Firewall Wizards mailing list archives
udp 31789
From: "Craig T. Hancock" <craig () charlie cns iit edu>
Date: Tue, 10 Oct 2000 09:24:59 -0500
Hello all a machine that I administer has been involved in a DOS attack on my subnet. THe networking monitor group as
told me that
a person was connecting to my machine via prt 31789 which is a udp port that cause a huge amount of overhead on the
network.
The thing I don't understand is how is this attacked is cause also I don't understand how the person could have gotten
in.
I didn't see any relevant info from the logs, but then again those could have been doctored.
Port State Protocol Service
22 open tcp ssh
111 open tcp sunrpc
515 open tcp printer
620 open tcp unknown
800 open tcp mdbs_daemon
801 open tcp device
1024 open tcp unknown
1025 open tcp listen
1026 open tcp nterm
1030 open tcp iad1
1455 open tcp esl-lm
2049 open tcp nfs
4321 open tcp rwhois
6000 open tcp X11
I would like to know exactly how is this attack done, I mean I haven't been able to find out any specifics and how
is this prevented. I have checked the logs but I haven't been able to find out if the person ever got in. It looks
like no one was logged in at the time, but then again the logs could have been doctored. Here is a reference to the
attack
this is the only info that I have been able to find.
"Looks like an rpc scan where somebody is trying to bypass
the portmapper (111) and contact cretin rpc services directly."
--
_______________________________________________________________________
If life is a dream then I am real I exist in smoke and shadow I see all
and know nothing beware my mist I am kindred feel thy wraith if tho is
wronged.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- udp 31789 Craig T. Hancock (Oct 11)