Security Incidents mailing list archives
re: port 4899
From: jdurick <jdurick () mitre org>
Date: Thu, 08 Apr 2004 08:49:41 -0400
Seeing alot of hits the past few days on port 4899/tcp and wondering if anyone is seeing the same....Did some research and found a link about that specific port [http://www.securityfocus.com/archive/1/290099/2002-09-01/2002-09-07/0]. Apparently, a tool called Radmin uses that port for remote access. Anyhey, here are some snips of my traffic...
Filter that generated (using ARGUS) this traffic: ra -nzcr $ARGUS/$TODAY*ext* - $NOT_SRC_HOME and $DST_HOME
--snip-- 07 Apr 04 22:05:31 tcp 211.44.252.204.28127 -> xxx.xxx.xxx.xxx.4899 2 0 124 0 s 07 Apr 04 22:05:31 tcp 211.44.252.204.53070 -> xxx.xxx.xxx.xxx.4899 2 0 124 0 s 07 Apr 04 22:05:31 tcp 211.44.252.204.14860 -> xxx.xxx.xxx.xxx.4899 2 0 124 0 s07 Apr 04 22:05:31 tcp 211.44.252.204.31254 -> xxx.xxx.xxx.xxx.4899 2 0 124
07 Apr 04 18:22:11 tcp 65.94.49.70.2645 -> xxx.xxx.xxx.xxx.4899 2 0 124 0 s 07 Apr 04 18:22:11 tcp 65.94.49.70.2646 -> xxx.xxx.xxx.xxx.4899 2 0 124 0 s 07 Apr 04 18:22:11 tcp 65.94.49.70.2648 -> xxx.xxx.xxx.xxx.4899 2 0 124 0 s 07 Apr 04 18:22:11 tcp 65.94.49.70.2647 -> xxx.xxx.xxx.xxx.4899 2 0 124 -snip-There are to many hits for it to be a misconfiguration issue. I put a special rule in my fw ruleset to drop those immediately, other than that, I will keep looking around for more info....
jd -- JD Durick Senior INFOSEC Engineer The MITRE Corporation jdurick () mitre org 703-883-5543 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership.Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:
- re: port 4899 jdurick (Apr 09)