Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: port 1150 and 4833 ?

From: tgarris () FRAMELOSS ORG (Frameloss, Frameloss)
Date: Tue, 11 Jan 2000 03:56:52 -0000

Dec 30 08:43:17 sentryhost kernel: Packet log: input DENY eth0 PROTO=6 a.b.c.d:4328 w.x.y.z:111 L=40 S=0x00 I=38248 
F=0x400

The first IP is that of the originating address (I assume ipchains output here...) which tells me the port 4328 is not 
what is interesting, but instead port 111! Which is sunrpc. Now, I'm entirely sure with the censored IP addresses in 
your logs, but I am guessing that the ip address sending from port 1150 to port 113 (ident) is trying to figure out the 
username of whoever is connecting to your portmapper... sounds like nfs???

anyway -- the thin and skinny is that port 1150 and 4833 are not what you should be interested in, those are the 
_source_ ports which are dynamically assigned (> 1024), the _dest_ ports are what is interesting here.  

Of course I am not entirely sure because of the way the addresses are edited out of the logs... but I would guess that 
the letters a.b.c.d would actually have two different IP addresses in the actuall log... likewise with w.x.y.z

Good Luck!
Previous By Date Next
Previous By Thread Next

Current thread: