Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Connect thru PIX & ports 1727, 2209, 9200

From: lnapier () CISCO COM (Lisa Napier)
Date: Tue, 1 Feb 2000 12:22:41 -0800

Hi Jeff,

Sorry for the delay in response, I don't have many answers, but some
recommendations and questions.

With regards to the PIX, this is difficult to diagnose without the
configuration. (I'm not asking that you post your configuration!)  To my
knowledge, there is no way to establish a connection through the PIX which
is not permitted by the configuration.  Have you opened a case with the
Cisco Technical Assistance Center?  They may be able to assist you with
identifying issues in your configuration, and help you with interpreting
the syslog messages to better understand what happened.

The ports you mentioned are unfamiliar to me.  None are listed on any of
the known trojan port listings I've seen recently.

Are your syslogs intact?  It seems to me a basic premise that if you were
to successfully attack a syslog server, it would be an obvious step to
remove the logs of your activity, and remain undetected for a longer period
of time.  Which just raises more questions in my mind.

Not sure if I've been much help,

Lisa Napier
Product Security Incident Response Team
Cisco Systems

http://www.cisco.com/warp/public/707/sec_incident_response.shtml

At 04:16 PM 01/27/2000 -0500, CL: Nelson, Jeff wrote:

Hello,

This is my first contribution to this list. Recently, going through my
syslogs, I found an individual that has, apparently, successfully initiated
a connection through our PIX. I thought this was a bit surprising. They then
proceeded to send 1 UDP/1727 packet to every one of our external IP
addresses (only 1 class C subnet) to port 9200.

During this walkabout they also tried to send UDP/1727 to a variety of our
private network addresses on port 9200. I am wondering how they were able to
detect these addresses. Of course, I'm wondering how they established the
connection through the PIX.

Once the individual was done the connection was torn down. Then, they start
back up again (with a new connection built through the firewall) except this
time, they are sending their UDP packet from port 2209.

Are any of you familiar with these ports or what is going on?

One last bit of info, the internal system that they established the
connection with is my syslog monitor (PrivateI, NT4.0, SP3). If it wasn't
personal enough that they seem to have compromised me a bit, they had to do
it with one of my own systems.

Cheers,

Jeff

:::::::::::
Jeffrey L. Nelson
Network Manager
Cleveland Motion Controls
Previous By Date Next
Previous By Thread Next

Current thread: