Security Incidents mailing list archives
Re: port 1150 and 4833 ?
From: tgarris () FRAMELOSS ORG (Frameloss, Frameloss)
Date: Tue, 11 Jan 2000 03:56:52 -0000
Dec 30 08:43:17 sentryhost kernel: Packet log: input DENY eth0 PROTO=6 a.b.c.d:4328 w.x.y.z:111 L=40 S=0x00 I=38248 F=0x400 The first IP is that of the originating address (I assume ipchains output here...) which tells me the port 4328 is not what is interesting, but instead port 111! Which is sunrpc. Now, I'm entirely sure with the censored IP addresses in your logs, but I am guessing that the ip address sending from port 1150 to port 113 (ident) is trying to figure out the username of whoever is connecting to your portmapper... sounds like nfs??? anyway -- the thin and skinny is that port 1150 and 4833 are not what you should be interested in, those are the _source_ ports which are dynamically assigned (> 1024), the _dest_ ports are what is interesting here. Of course I am not entirely sure because of the way the addresses are edited out of the logs... but I would guess that the letters a.b.c.d would actually have two different IP addresses in the actuall log... likewise with w.x.y.z Good Luck!
Current thread:
- Re: ICMP time exceed in-transit packets, (continued)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Re: ICMP time exceed in-transit packets Christopher Wilson (Jan 02)
- port 119 Dariusz Zmokly (Jan 03)
- Re: port 119 Robert Graham (Jan 03)
- Re: port 119 Thomas Molina (Jan 04)
- Re: port 119 Vince Vielhaber (Jan 05)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Ports 25092 / 20869 Vanja Hrustic (Jan 04)
- Re: Ports 25092 / 20869 Robert Graham (Jan 04)
- port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
- Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: port 119 R a v e N (Jan 05)
- Re: port 119 Scott Laws (Jan 04)
- Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
- Computer Forsenics System Administrator (Jan 03)
- Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
- traceroute ICMP packets Laszlo Fabian (Jan 04)
- Re: traceroute ICMP packets M J (Jan 04)
- Re: traceroute ICMP packets Larry Canup (Jan 18)
- Re: ICMP time exceed in-transit packets Paul Cardon (Jan 02)