Re: Keep connecting to remote host on port 7869

[Frank Cheong <fch () hktb com>]

In-Reply-To: <20021026093047.GA30704 () useful yi org>

After detailed investigation, I've found that it is really caused by PHP 
debugger. All packet disappeared after I have turned off the debugging 
feature of PHP. But what caused the PHP debugging to remotely sending 
information out ? Is it a sign of hacker or actually there are some bugs 
with the PHP programs ? Coz I am running squirrel mail on that mail server.

> Received: (qmail 17458 invoked from network); 26 Oct 2002 21:21:22 -0000
> Received: from outgoing2.securityfocus.com (HELO 
outgoing.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 26 Oct 2002 21:21:22 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id 284B88F28C; Sat, 26 Oct 2002 14:03:19 -0600 (MDT)
> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
> Delivered-To: mailing list incidents () securityfocus com
> Delivered-To: moderator for incidents () securityfocus com
> Received: (qmail 11258 invoked from network); 26 Oct 2002 08:54:42 -0000
> Date: Sat, 26 Oct 2002 09:30:47 +0000
> From: Luis Bruno <lbruno () zbit pt>
> To: incidents () securityfocus com
> Subject: Re: Keep connecting to remote host on port 7869
> Message-ID: <20021026093047.GA30704 () useful yi org>
> Mail-Followup-To: incidents () securityfocus com
> References: <20021025030417.1973.qmail () mail securityfocus com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> In-Reply-To: <20021025030417.1973.qmail () mail securityfocus com>
> User-Agent: Mutt/1.3.28i
> X-Warning: Personal opinions beyond this line.
> X-Message-Flag: When your hammer is C++, everything begins to look like a 
thumb.
> X-Send-Missiles-To: Viseu, Portugal - UTM 29T 629481 E 4511776 N - 576m
>
> Frank Cheong wrote:
> > My redhat linux mail host keeps connecting to other remote host quite
> > frequently on remote port 7869.
> > [snip]
> > Below is the firewall log (IP address being modified) :
> >
> > 10/23/2002 11:13:36.640 -     TCP connection dropped -     
> > Source:123.123.123.123, 51321, LAN -     
> > Destination:234.234.234.234, 7869, WAN -     Type: 786 -
> >      Rule 66
>
> If your frewall drops the connection thru a TCP RST, change it so that
> it silently drops the packets. This will make the linux box hang waiting
> for a timeout.
>
> Then execute:
>
>       netstat -tanp | grep <port>
>
> on the linux box, where <port> is the source port you see in the Source:
> line on your firewall logs.
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com