OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: H C (keydet89_at_yahoo.com)
Date: Mon Jul 22 2002 - 12:29:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Ken,

    I'm really kind of suprised that a CISSP is taking
    this approach to such a problem.

    Okay...this group has identified a number of UDP
    packets headed for this port. Fine. *How* did they
    find them? Were they dropped by a firewall? If
    so...so what? Better to spend the time on things that
    matter than chasing after shiny objects.

    Were they logged by an IDS? If so, what data is
    carried in the datagram?

    Assuming that no egress filtering is being done by
    this group, maybe what they can do is identify the
    systems using the destination IPs of the datagrams,
    then go to those boxes and run fport.exe (NT/2K) or
    'netstat -ano' (XP) or lsof (Linux) to see if anything
    *is*, in fact, listening on that port.

    --- Ken Grossman <kgrossmandazzling.com> wrote:
    > All,
    >
    > One of the groups that I support has been seeing a
    > lot of scanning for UDP
    > port 4668. Before you ask, they did not quantify "a
    > lot". One of the
    > questions that they have is what are the scanners
    > looking for that is
    > running on that port. I checked the IANA port
    > listing at
    > www.iana.org/assignments/port-numbers and found that
    > the port number (TCP
    > and UDP) is unassigned. I also performed a check on
    > the SecurityFocus site
    > to see if this had bee discussed before but found
    > nothing on it. Does
    > anyone know what could be running on that port
    > number? Thanks for your
    > assistance.
    >
    >
    > Ken Grossman, CISSP
    > kgrossmandazzling.com
    > (202) 401-7142
    >
    >
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS
    > analyzer service.
    > For more information on this free incident handling,
    > management
    > and tracking system please see:
    > http://aris.securityfocus.com
    >

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Health - Feel better, live better
    http://health.yahoo.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com