From owner-freebsd-security Sun Aug 9 12:30:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14033 for freebsd-security-outgoing; Sun, 9 Aug 1998 12:30:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14023 for ; Sun, 9 Aug 1998 12:30:47 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id OAA05795; Sun, 9 Aug 1998 14:30:24 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id OAA01359; Sun, 9 Aug 1998 14:16:35 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 9 Aug 1998 14:16:34 -0500 (CDT) From: Jay Nelson To: sthaug@nethelp.no cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-Reply-To: <12622.902689735@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ahh.. I understand. Thanks. -- Jay On Sun, 9 Aug 1998 sthaug@nethelp.no wrote: >> >traceroute. >> >> Did that. > >I guess I was a bit terse. What *you* are seeing is somebody running >traceroute against your machine. > >> Except for the 195.8.97.66, which is ns5.isi.net, they all >> seen to come from shortcut.???.isi.net. They all trace back to a >> running machine. What are they looking for and what do they expect to >> find at those high port numbers? > >That's precisely the point - they *don't* expect to find anything at >those high port numbers on your machine. The high port numbers are used >to minimize the probability that traceroute will collide with a running >application. > >traceroute normally starts at port (32768 + 666) and runs up from there. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message