Re: A rather newbie question

["Lee" <cheekypeople () sec33 com>]

Like anything its all about what you may have or what they want, your logs
show a few different ports but port 60096 stands out.

 I get these logs all day and get hit all day, whats systems do you use?
what
 bandwidth have you got? are you actually seeing a degrade in browsing
 performance? you may just be a random product of the NET like the rest of
 us.

 Tell us a little more about your system. as far as nmap-ing well, didnt
know
 that was illegal depends on your country,

 here info from port 60096 anyways, hope it helps you.

 Port number: 60096

> Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat
> Enterprise 3
>
> Common service(s): client
>
> Service description(s): Outgoing client connections from systems.
>
> Common server(s): RPC based services, Windows Messaging Service.
>
> Common client(s): All client software (SSH, Web clients, etc.)
>
> Common problem(s): Insecure client software
>
> Encrypted options: Not applicable
>
> Secure options: Not applicable
>
> Firewalling recommendations: Block inbound connections to client ports,
> allow outgoing connections and returning packets (keep state)
>
> Attack detection: As a general rule data coming in to client ports that is
> not part of an established connection is likely an attack. Exceptions
exist
> of course, such as FTP, various instant messenger protocols, file sharing
> protocols, IRC's DCC, and so on.
>
> Related ports: 32768 and other client ports
>
> Related URL(s):
> http://seifried.org/security/os/linux/20011005-linux-port-behavior.html
>
> Other notes: Port 32768 is the first port used by the operating system for
> outbound connections, thus it is likely you will see outbound connections
> from port 32768 and up. If you run netstat on Red Hat Linux or UNIX you
will
> see something like:
>
> [root@funky web]# netstat -vatn
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State

> tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
> tcp        0      0 10.2.3.4:32768          10.3.4.5:22
> ESTABLISHED
> tcp        0      0 10.2.3.4:32769          10.9.3.4:80
> ESTABLOSHED
>
>
>
> Lee @ STS
> http://www.seethrusec.co.uk
> Building Knowledge and Security..
> ----- Original Message ----- 
> From: "Schmidt, Michael R." <Michael.Schmidt () T-Mobile com>
> To: <full-disclosure () lists netsys com>
> Sent: Sunday, May 02, 2004 8:41 AM
> Subject: [Full-disclosure] A rather newbie question
>
>
> > If someone could take a quick look through my log file - it is very
simple
> and shows a bazillion requests that are being bounced off my firewall.  I
> would really appreciate it.  My ISP didn't care and didn't respond when I
> let him know about all this traffic that was wasting MY bandwidth.  And
then
> they were upset when I nmapped back to a few addresses and hit some
upstream
> providers router - oh well, live and learn.  They told me they would
> terminate my contract if I kept that up.  Hey I was just trying to find
out
> who the freaks were that are constantly attacking MY network.
> > Anyway, what I am looking for is confirmation that even though I may be
> new - I am not losing my brains or paranoid, thanks.
> > I have updated all my systems to the latest patch version - but I'll
tell
> you, it is the users inside the firewall that cause the most problems.
All
> our machines have antivirus, all have antispyware, but they are used by my
> kids and sometimes their friends, and therein lies the problem, but
hanging
> out in the background with you guys has opened my eyes to the craziness
out
> there.  How is a "normal" citizen supposed to keep their computer safe on
> the Internet?  I don't think it is possible.
> >


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html