Firewall Wizards mailing list archives
udp 31789
From: "Craig T. Hancock" <craig () charlie cns iit edu>
Date: Tue, 10 Oct 2000 09:24:59 -0500
Hello all a machine that I administer has been involved in a DOS attack on my subnet. THe networking monitor group as told me that a person was connecting to my machine via prt 31789 which is a udp port that cause a huge amount of overhead on the network. The thing I don't understand is how is this attacked is cause also I don't understand how the person could have gotten in. I didn't see any relevant info from the logs, but then again those could have been doctored. Port State Protocol Service 22 open tcp ssh 111 open tcp sunrpc 515 open tcp printer 620 open tcp unknown 800 open tcp mdbs_daemon 801 open tcp device 1024 open tcp unknown 1025 open tcp listen 1026 open tcp nterm 1030 open tcp iad1 1455 open tcp esl-lm 2049 open tcp nfs 4321 open tcp rwhois 6000 open tcp X11 I would like to know exactly how is this attack done, I mean I haven't been able to find out any specifics and how is this prevented. I have checked the logs but I haven't been able to find out if the person ever got in. It looks like no one was logged in at the time, but then again the logs could have been doctored. Here is a reference to the attack this is the only info that I have been able to find. "Looks like an rpc scan where somebody is trying to bypass the portmapper (111) and contact cretin rpc services directly." -- _______________________________________________________________________ If life is a dream then I am real I exist in smoke and shadow I see all and know nothing beware my mist I am kindred feel thy wraith if tho is wronged. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- udp 31789 Craig T. Hancock (Oct 11)