From owner-freebsd-security Sun Aug 4 9:10:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8ECF37B400 for ; Sun, 4 Aug 2002 09:10:29 -0700 (PDT) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6010F43E5E for ; Sun, 4 Aug 2002 09:10:25 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id BAA09130 for ; Mon, 5 Aug 2002 01:46:18 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 5 Aug 2002 01:46:18 +1000 (EST) From: Ian Smith To: freebsd-security@FreeBSD.org Subject: port 6112 ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd been seeing lots of widely sourced, irregular scans over our public subnet for TCP port 6112 ('dtspcd'?), along with some other ports that are also being scanned semi-regularly, including 1524 (ingreslock, more likely pcserver trojan) and TCP 17300 (?) along with bucketloads of TCP 1433 (ms-sql-s) .. as does everyone else, I guess. I recently added ipfw rules to separate these out from the general (denied) cruft, so as not to blow out the log limiting and thus obscuring the more interesting stuff, Today I notice a dialup user getting and sending UDP packets on 6112, with various IPs; looks to be a fairly steady stream of in- and outbound traffic at about 800cps each way over, say, half-hour sessions. Game, trojan, or yet another messenger type thing? I've already checked http://www.robertgraham.com/pubs/firewall-seen.html Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message