Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Persistant Connection to tcp/1423

From: David Vestal <dk_vestal () seznam cz>
Date: 29 Oct 2003 11:08:42 -0600
According to google, tcp/1423 is registered to an essbase service,
(www.essbase.com), seems to be a business/enterprise management suite.

For the past several days I have been recieving packets from one ip
address that concern me a little. I am on aDSL and have closed and
restarted my DSL service a few times to change my ip to try to fix this.
However, regardless of my ip address I eventually start recieving the
same packets again from the same source. My first thought was possibly a
trojan or that my router had been rooted.

I ran chkrootkit with no positive results for trojans. When I built the
router and installed it I keep a copy of the sha1sum's for everything
that tripwire keeps track of and I have tripwire running on the router.
Tripwire has shown nothing, and the sha1sum's matched for all.

Running 'ps ax', 'netstat', and 'lsof' shows nothing that I am not
expecting to see there. All the packets that I am recieving have just
the SYN flagged, I recieve 3 packets with the same Sequence number then
it changes, over the last two days of monitoring it no groups of the 3
have had the same Sequence number. Other than the Sequence number the
packets are all identical. My firewall is dropping the packets and
'iptraf' shows me recieving the packets, but nothing going back.

I understand and expect that using a broadband connection I will recieve
a number of probes, etc. What concerns me is that regardless of wether
or not I change my ip address I continue recieving the packets from the
same source.

Has anyone else seen this or know what it might be and wether or not I
should be concerned.


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: