Security Incidents mailing list archives
Persistant Connection to tcp/1423
From: David Vestal <dk_vestal () seznam cz>
Date: 29 Oct 2003 11:08:42 -0600
According to google, tcp/1423 is registered to an essbase service, (www.essbase.com), seems to be a business/enterprise management suite. For the past several days I have been recieving packets from one ip address that concern me a little. I am on aDSL and have closed and restarted my DSL service a few times to change my ip to try to fix this. However, regardless of my ip address I eventually start recieving the same packets again from the same source. My first thought was possibly a trojan or that my router had been rooted. I ran chkrootkit with no positive results for trojans. When I built the router and installed it I keep a copy of the sha1sum's for everything that tripwire keeps track of and I have tripwire running on the router. Tripwire has shown nothing, and the sha1sum's matched for all. Running 'ps ax', 'netstat', and 'lsof' shows nothing that I am not expecting to see there. All the packets that I am recieving have just the SYN flagged, I recieve 3 packets with the same Sequence number then it changes, over the last two days of monitoring it no groups of the 3 have had the same Sequence number. Other than the Sequence number the packets are all identical. My firewall is dropping the packets and 'iptraf' shows me recieving the packets, but nothing going back. I understand and expect that using a broadband connection I will recieve a number of probes, etc. What concerns me is that regardless of wether or not I change my ip address I continue recieving the packets from the same source. Has anyone else seen this or know what it might be and wether or not I should be concerned. --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Persistant Connection to tcp/1423 David Vestal (Oct 30)
- Re: Persistant Connection to tcp/1423 kyle . r . maxwell (Oct 30)