Security Incidents mailing list archives

port 65535 and protocol 171 !?

From: j_bauer () GMX NET (Jürgen Bauer)
Date: Mon, 5 Jun 2000 17:17:54 +0200


hi folks,

in this mailinglist  i read a lot about portscans. what i am searching
for is a site with info about recent scan-incidents.

i have wired things in my log every day. today i had this in my logs and
i am wondering what protocol 171 is ???
and on the ather hand: is port 65535 a special port in some way ???

kernel: Packet log: input - eth0 PROTO=171 216.49.10.227:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.211:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.236:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.211:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.236:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.236:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.236:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.211:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.236:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.237:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)
kernel: Packet log: input - eth0 PROTO=171 216.49.10.211:65535
62.xxx.xxx.xxx:65535 L=44 S=0x00 I=0 F=0x0000 T=235 (#82)

did anyone see something similar and can tell me what this is about ?

ok, enough questions,

thanx,  juergen

Current thread:

Re: FW-1 log analysis tool, (continued)
- - - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
    - Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)