Security Incidents mailing list archives
Port 7070?
From: mparkin () PBI NET (PARKIN, MICHAEL (PBI))
Date: Thu, 22 Jun 2000 12:26:54 -0500
Morning, folks, Recently I've seen a series of connection attempts to one of my boxen. I run a household LAN connected via cablemodem, and all but one of the machines runs Linux in a relatively secure mode. I have ipchains pipe suspicious output to syslog and I monitor it frequently. While I'm used to seeing the subnet get scanned for 27374 (Sub7) and 12345 (NetBus) and the ubiquitous 137 (NetBIOS) these connections to 7070 are recent. I've considered the possibility that someone's just running a mis-configured IRC client (there is an IRC server on this particular box, listening on the usual ports, and 8500 for server connections) but I've seen these connections from several different locations, and they all started within the last week or so. I've included one sample below. Is anyone aware of a trojan living on this port? The box hasn't been compromised, and I strongly suspect the connections are coming from Windows boxes, but haven't counterscanned to find out. Notably, none of the connections correspond to a legitimate user on the IRC network this box is connected to. Thanks, Mike messages:Jun 22 05:36:56 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=9778 F=0x4000 T=111 SYN (#19) messages:Jun 22 05:36:59 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10034 F=0x4000 T=111 SYN (#19) messages:Jun 22 05:37:05 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10546 F=0x4000 T=111 SYN (#19) Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108
Current thread:
- Compromise and Bind Replacement, (continued)
- Compromise and Bind Replacement Scott Brown (Jun 28)
- Re: Port scan (106 and 389) Fabio Pietrosanti (Jun 28)
- Re: Probes for MySQL under Linux? Al Huger - Mail Account (Jun 28)
- Was I exploited? Narins, Joshua (Jun 29)
- Re: Was I exploited? Russ Spooner (Jun 29)
- Re: Nike Site taken over Ballard, James (Jun 27)
- port 1433? Sir Scriptzalot (Jun 25)
- Re: port 1433? Jason Witty (Jun 27)
- Port 1433 Edwin Concepcion (Jun 26)
- Re: Nike Site taken over x-empt (Jun 23)
- Re: Port 7070? Ryan Russell (Jun 22)
- Re: Port 7070? Robert Graham (Jun 23)