Security Incidents mailing list archives
Ports 25092 / 20869
From: vanja () RELAYGROUP COM (Vanja Hrustic)
Date: Tue, 4 Jan 2000 16:47:15 +0700
Hello! This is happening for few days already, and I can't figure out what it is: ==[ IPs are changed ]===== ... Jan 4 16:34:39 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60165 F=0x4000 T=27 SYN (#7) Jan 4 16:34:42 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60421 F=0x4000 T=27 SYN (#7) Jan 4 16:34:49 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63237 F=0x4000 T=27 SYN (#7) Jan 4 16:35:01 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63749 F=0x4000 T=27 SYN (#7) Jan 4 16:35:44 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30726 F=0x4000 T=121 SYN (#7) Jan 4 16:35:47 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30982 F=0x4000 T=123 SYN (#7) Jan 4 16:35:53 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=31238 F=0x4000 T=123 SYN (#7) ... ========================== The "remote" side (university) is less than helpful, they also have a firewall that doesn't let anything in (so I can't try to 'identify' the offender:) - it's better to ask a question in here. Does anybody know what kind of traffic this is? [the hosts generating the traffic do have valid IPs, and are resolvable]. I also couldn't find anything related to these ports on the trojan lists. It starts in the morning (usually around 09am), and happens randomly few times per day. First thought that came to mind is that some Win95/98 box is generating that traffic when it is rebooted (or turned on). Any ideas of which software might cause this? Thanks in advance. Vanja Hrustic The Relay Group http://relaygroup.com Technology Ahead of Time
Current thread:
- Re: ICMP time exceed in-transit packets White, Tim (Dec 31)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Re: ICMP time exceed in-transit packets Christopher Wilson (Jan 02)
- port 119 Dariusz Zmokly (Jan 03)
- Re: port 119 Robert Graham (Jan 03)
- Re: port 119 Thomas Molina (Jan 04)
- Re: port 119 Vince Vielhaber (Jan 05)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Ports 25092 / 20869 Vanja Hrustic (Jan 04)
- Re: Ports 25092 / 20869 Robert Graham (Jan 04)
- port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
- Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: port 119 R a v e N (Jan 05)
- Re: port 119 Scott Laws (Jan 04)
- Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
- Computer Forsenics System Administrator (Jan 03)
- Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
- traceroute ICMP packets Laszlo Fabian (Jan 04)
- Re: traceroute ICMP packets M J (Jan 04)