Security Incidents mailing list archives
Re: Connect thru PIX & ports 1727, 2209, 9200
From: lnapier () CISCO COM (Lisa Napier)
Date: Tue, 1 Feb 2000 12:22:41 -0800
Hi Jeff, Sorry for the delay in response, I don't have many answers, but some recommendations and questions. With regards to the PIX, this is difficult to diagnose without the configuration. (I'm not asking that you post your configuration!) To my knowledge, there is no way to establish a connection through the PIX which is not permitted by the configuration. Have you opened a case with the Cisco Technical Assistance Center? They may be able to assist you with identifying issues in your configuration, and help you with interpreting the syslog messages to better understand what happened. The ports you mentioned are unfamiliar to me. None are listed on any of the known trojan port listings I've seen recently. Are your syslogs intact? It seems to me a basic premise that if you were to successfully attack a syslog server, it would be an obvious step to remove the logs of your activity, and remain undetected for a longer period of time. Which just raises more questions in my mind. Not sure if I've been much help, Lisa Napier Product Security Incident Response Team Cisco Systems http://www.cisco.com/warp/public/707/sec_incident_response.shtml At 04:16 PM 01/27/2000 -0500, CL: Nelson, Jeff wrote:
Hello, This is my first contribution to this list. Recently, going through my syslogs, I found an individual that has, apparently, successfully initiated a connection through our PIX. I thought this was a bit surprising. They then proceeded to send 1 UDP/1727 packet to every one of our external IP addresses (only 1 class C subnet) to port 9200. During this walkabout they also tried to send UDP/1727 to a variety of our private network addresses on port 9200. I am wondering how they were able to detect these addresses. Of course, I'm wondering how they established the connection through the PIX. Once the individual was done the connection was torn down. Then, they start back up again (with a new connection built through the firewall) except this time, they are sending their UDP packet from port 2209. Are any of you familiar with these ports or what is going on? One last bit of info, the internal system that they established the connection with is my syslog monitor (PrivateI, NT4.0, SP3). If it wasn't personal enough that they seem to have compromised me a bit, they had to do it with one of my own systems. Cheers, Jeff ::::::::::: Jeffrey L. Nelson Network Manager Cleveland Motion Controls
Current thread:
- Re: Connect thru PIX & ports 1727, 2209, 9200 Lisa Napier (Feb 01)