|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Port 65535, again
From: vventura
SIA.PTDate: Tue Apr 11 2000 - 04:23:35 CDT
- Next message: Brian McKinney: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: Klavs Klavsen: "fragment attack of some kind ?"
- In reply to: Jens Hektor: "Port 65535, again"
- Reply: vventuraSIA.PT: "Re: Port 65535, again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
there are at least two trojans that listen on that port,
problably someone is probing for that trojans.
Hi,
we had this thread already in February but the answers
to this problem were a bit vague.
So another chance to clearify this: more than one month
later, same (and an other one) source machine(s), same
signature.
Apr 3 10:01:09 X.Y kernel: Packet log: input REJECT eth1
PROTO=6 209.1.224.16:65535 134.130.X.Y:65535 L=52 S=0x00
I=5405 F=0x0093 T=237 (#106)
Apr 5 15:43:24 X.Y kernel: Packet log: input REJECT eth1
PROTO=6 192.115.221.125:65535 134.130.X.Y:65535 L=28 S=0x00
I=18772 F=0x00B8 T=50 (#106)
In contrast to the older case, these packets do not come
very regular every 2 minutes, though sometimes there is an
exactly 2-minute time-distance.
The destination was exactly one machine (X.Y).
Bye, Jens
<FONT COLOR="#222255">> Feb 29 07:12:25 firepower kernel:
Packet log: private1</FONT>
<FONT COLOR="#222255">> DENY eth0 PROTO=6</FONT>
<FONT COLOR="#222255">> 192.115.221.125:65535
207.245.232.127:65535 L=28 S=0x00</FONT>
<FONT COLOR="#222255">> I=15817 F=0x00B8 T=47</FONT>
<FONT COLOR="#222255">> (#7)</FONT>
- Next message: Brian McKinney: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: Klavs Klavsen: "fragment attack of some kind ?"
- In reply to: Jens Hektor: "Port 65535, again"
- Reply: vventuraSIA.PT: "Re: Port 65535, again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]