Security Incidents mailing list archives

Re: Unknown traffic

From: joey () SILICONDEFENSE COM (Joe McAlerney)
Date: Tue, 27 Jun 2000 16:28:21 -0700


Well, since two of those port numbers match, this _may_ be the culprit:

Web JetAdmin Package Manager

Installed on: supported Linux, Solaris and HP-UX systems
Path: /opt/fpmd
Listener Port: 54253
Purpose: Performs installation of packages for Web JetAdmin software

Print Server Manager

Installed on: supported Linux, Solaris and HP-UX systems
Path: /opt/ppsweb
Listener Port: 55559
Purpose: provides communication channel for Web JetAdmin remote printer
installation

from: http://www.hp.com/cposupport/networking/support_doc/bpj06419.html

-Joe M.

Paul Hancock wrote:


There is a system that is trying to connect to udp ports 55559, 43768, and
54253 on a number of my systems.  It tries those ports on a given machine,
and then moves on to a seemingly random machine from within my network.
Any idea what is running, or what it is trying to connect to?

[IPs changed]

Jun 27 02:10:26 ppl 74081: %SEC-6-IPACCESSLOGP: list PPL-COPATM-in denied
udp 8.1.218.40(2753) -> 207.137.123.164(55559), 1 packet
Jun 27 02:10:27 ppl 74082: %SEC-6-IPACCESSLOGP: list PPL-COPATM-in denied
udp 8.1.218.40(2754) -> 207.137.123.164(43768), 1 packet
Jun 27 02:10:28 ppl 74083: %SEC-6-IPACCESSLOGP: list PPL-COPATM-in denied
udp 8.1.218.40(2755) -> 207.137.123.164(54253), 1 packet

                -- Paul (phancock () lib ci phoenix az us)

Current thread:

Unknown traffic Paul Hancock (Jun 27)
- Re: Unknown traffic Joe McAlerney (Jun 27)
- Re: Unknown traffic Osvaldo Janeri Filho (Jun 27)
- Re: Unknown traffic desmond irvine (Jun 28)