VirusWall?

[George Bakos <alpinista () BIGFOOT COM>]

The nature of the following activity hasn't yet been pinned down by the
organizational folks at the source, but it does smack of evil doings.  Port
19000 is the default listener for one of the sendmail daemons of
TrendMicro's VirusWall "sandwich" configuration.  Note the sequence & IP id
numbers as well:

04:34:39.469094 146.9.31.161.20 > good.guys.net.host32.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831)
04:34:39.475976 146.9.31.161.20 > good.guys.net.host33.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831)
04:34:39.482850 146.9.31.161.20 > good.guys.net.host34.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20831)
04:34:39.521424 146.9.31.161.20 > good.guys.net.host40.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20841)
04:34:39.594107 146.9.31.161.20 > good.guys.net.host50.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20911)
04:34:39.662068 146.9.31.161.20 > good.guys.net.host60.19000: S 1:1(0) win 16383 (DF) (ttl 236, id 20911)

Correlation:  rbernadino () bta pt posted a similar trace to
firewalls () lists gnac net one hour after this one was logged.

If using VirusWall, consider using ports other than the default, as well as
enabling anti-relaying and firewalling to allow traffic only from
the VirusWall host to the internal mail daemon, bastion-host style.

--
George Bakos, Security Engineer
Electronic Warfare Associates-Information & Infrastructure Technologies
alpinista () bigfoot com
802-338-3213