Re: Persistant Connection to tcp/1423

[kyle.r.maxwell () verizon com]

Can you provide any logs of this activity? I know it sounds obvious but 
are you sure that these are SYN packets and not SYN/ACK packets? It sounds 
like you've done a pretty good job making sure the host isn't compromised, 
so it is a bit curious that the scanner is finding your dynamic address. 
Do you have any sort of dynamic DNS that would maintain a constant 
hostname across IP leases?

--
Kyle Maxwell
InfoSec Engineer
Verizon Global Security Operations Center
kyle.r.maxwell () verizon com




"David Vestal" <dk_vestal () seznam cz>
10/29/2003 11:08 AM
 
        To:     incidents () securityfocus com
        cc: 
        Subject:        Persistant Connection to tcp/1423


According to google, tcp/1423 is registered to an essbase service,
(www.essbase.com), seems to be a business/enterprise management suite.

For the past several days I have been recieving packets from one ip
address that concern me a little. I am on aDSL and have closed and
restarted my DSL service a few times to change my ip to try to fix this.
However, regardless of my ip address I eventually start recieving the
same packets again from the same source. My first thought was possibly a
trojan or that my router had been rooted.

[snip]



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------