Re: Port 788 (Was: hitting the "on" switch)

Dave Roberts (dave.robertssaaconsultants.com)
Fri, 19 Sep 1997 11:58:46 +0100 (BST)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Giesinger, Nick HE0: "RE: Port 788 (Was: hitting the "on" switch)"
• Previous message: MSITMI02.XZ46G8eds.com: "Re: Proxies and CHAP"
• Maybe in reply to: Russ: "Proxies and CHAP"
• Next in thread: Giesinger, Nick HE0: "RE: Port 788 (Was: hitting the "on" switch)"

On Thu, 18 Sep 1997, Kees Hendrikse wrote:

> I'm puzzled by the following log entries from my Cisco (edited):
>
> Sep 3 21:46:13 tcp A.B.C.D(788) -> Z.Z.Z.116(2148), 1 packet
>
> In July and August only A.B.C.D was sending these packets; now I have
> two of them. Any ideas what these guys are trying to do? As far as I
> know, there are no well-known services using port 788.
> By the way, Z.Z.Z.116 has never been in active use.

Sounds more like someone is using Z.Z.Z.116 as a source address for
spoofed packets. Some "bad person" is attacking 788 on A.B.C.D, using
an address in your space, and you're seeing the reply (SYN|ACK) from the
remote site - hence the "random" port number for your "machine".

Anyone know how to get CISCO's to log the TCP flags? I can't get mine to
do it either. IOS 11.1 if you please :) Without the flags, some of
those log entries get mighty confusing.

--
Dave Roberts         For PGP Key - send mail with subject of 'get pgp':-
SAA Consultants Ltd  < 51 4B 6A 35 3F C4 B6 3D  13 88 0C B2 48 61 51 1C>
Plymouth, UK         Telephone: +44 1752 606000      Fax: +44 1752 606838

• Next message: Giesinger, Nick HE0: "RE: Port 788 (Was: hitting the "on" switch)"
• Previous message: MSITMI02.XZ46G8eds.com: "Re: Proxies and CHAP"
• Maybe in reply to: Russ: "Proxies and CHAP"
• Next in thread: Giesinger, Nick HE0: "RE: Port 788 (Was: hitting the "on" switch)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT