Security Incidents mailing list archives
Re: Source port 445,80
From: Valdis.Kletnieks () vt edu
Date: Wed, 05 Sep 2007 17:36:18 -0400
On Wed, 05 Sep 2007 18:47:42 +0800, Wong Yu Liang said:
Lately I've been getting a lot of awkward alerts with source port 445. A few different source IP is connecting to one single IP from the source port 445 , to random destination high ports.
Is the destination IP address one that could conceivably be calling the *source* IPs on those ports, and you're looking at the *return* traffic? If so, it could be that the destination IP is being tricked into visiting malicious websites and the like, and what you're seeing is the website sending more malware down the now-open connection.... (Just asking, because for a *long* time, we had to keep a canned response form for "ntp-1.vt.edu is hacking my ports from its port 123" complaints. Of course, the *real* story was they enabled NTP, sent us a packet - and then their firewall software triggered on the reply).
Attachment:
_bin
Description:
Current thread:
- Source port 445,80 Wong Yu Liang (Sep 05)
- Re: Source port 445,80 Valdis . Kletnieks (Sep 05)
- RE: Source port 445,80 Wong Yu Liang (Sep 06)
- Re: Source port 445,80 Valdis . Kletnieks (Sep 06)
- RE: Source port 445,80 Wong Yu Liang (Sep 10)
- Re: Source port 445,80 Valdis . Kletnieks (Sep 10)
- RE: Source port 445,80 Wong Yu Liang (Sep 06)
- Re: Source port 445,80 scott (Sep 10)
- Re: Source port 445,80 Valdis . Kletnieks (Sep 05)