Security Incidents mailing list archives
Re: Persistant Connection to tcp/1423
From: kyle.r.maxwell () verizon com
Date: Thu, 30 Oct 2003 10:06:14 -0600
Can you provide any logs of this activity? I know it sounds obvious but are you sure that these are SYN packets and not SYN/ACK packets? It sounds like you've done a pretty good job making sure the host isn't compromised, so it is a bit curious that the scanner is finding your dynamic address. Do you have any sort of dynamic DNS that would maintain a constant hostname across IP leases? -- Kyle Maxwell InfoSec Engineer Verizon Global Security Operations Center kyle.r.maxwell () verizon com "David Vestal" <dk_vestal () seznam cz> 10/29/2003 11:08 AM To: incidents () securityfocus com cc: Subject: Persistant Connection to tcp/1423 According to google, tcp/1423 is registered to an essbase service, (www.essbase.com), seems to be a business/enterprise management suite. For the past several days I have been recieving packets from one ip address that concern me a little. I am on aDSL and have closed and restarted my DSL service a few times to change my ip to try to fix this. However, regardless of my ip address I eventually start recieving the same packets again from the same source. My first thought was possibly a trojan or that my router had been rooted. [snip] --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Persistant Connection to tcp/1423 David Vestal (Oct 30)
- Re: Persistant Connection to tcp/1423 kyle . r . maxwell (Oct 30)