Date: Mon, 11 Oct 1999 09:52:31 +0000 From: bK <bertke@bellsouth.net> To: "N. N.M" <madrapour@hotmail.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 31789 scanning and ... Message-ID: <3801B35F.4451ED2F@bellsouth.net> References: <19991010073125.93991.qmail@hotmail.com> <199910102037.OAA11369@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
By default a traceroute uses 33435 as the first packet. "udp", IPPROTO_UDP, sizeof(struct udphdr), 32768 + 666, udp_prep, udp_check It is initialized at 33434 but is incremented by one before being sent to make 33435. Of course someone could use the -p option with traceroute to alter the destination port. OTOH straight from: http://www.robertgraham.com/pubs/firewall-seen.html 31789 Hack-a-tack UDP traffic on this port is currently being seen due to the "Hack-a-tack" RAT (Remote Access Trojan). Looks some kiddies might be loose. As always keep your virus software updated; it might not hurt to look at the data in the UDP packets and research this trojan more. Bert Nate Williams wrote: > > 1) I have IPFW and by studying its daily logs I found out that somebody > > scans the port 31789 of all the servers and even clients in my network. What > > can be potentially found on this port? > > If it's a UDP packet, it's probably someone running traceroute. > > > 2) There was another log entry in the log files which makes no sense for me. > > That is as the follow: > > > > Oct 9 23:21:43 firewall /kernel: ipfw: 147 Deny TCP Y.Y.Y.Y X.X.X.X in via > > ed1 Fragment = 147 > > This happens with buggy stacks, and is common. I see it often from my > Win95 boxes.... > > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3801B35F.4451ED2F>