From owner-freebsd-security Wed Nov 4 01:45:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA25264 for freebsd-security-outgoing; Wed, 4 Nov 1998 01:45:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA25220 for ; Wed, 4 Nov 1998 01:44:50 -0800 (PST) (envelope-from mlists@gizmo.kyrnet.kg) Received: from gizmo.kyrnet.kg ([192.168.1.125]) by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id OAA07236; Wed, 4 Nov 1998 14:14:18 +0600 Received: from localhost (mlists@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with SMTP id OAA18547; Wed, 4 Nov 1998 14:42:36 +0500 (KGT) Date: Wed, 4 Nov 1998 14:42:36 +0500 (KGT) From: CyberPsychotic Reply-To: fygrave@tigerteam.net To: Alla Bezroutchko cc: security@FreeBSD.ORG Subject: Re: Is it an attack? Strange things logged by ipfw. In-Reply-To: <363EBD86.74C9F6E2@sovlink.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ~ ~ Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 ~ aaa.aaa.aaa.aaa:1333 in via ex0 ~ Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 ~ aaa.aaa.aaa.aaa:1565 in via ex0 ~ Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 ~ aaa.aaa.aaa.aaa:1725 in via ex0 ~ Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 [snip snip] ~ ~ What stumbles me is why they all use the same source port. nothing special. You could bing locally any port you want. It doesn't seem like a probing either, since these ports aint registered among reserved port numbers. could be kind of troyan probin'.. yeah, but hardly.. troyans love to use 31337 ports :-)). as someone already mentioned: Nothing will help brain-damaged windoze machines. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message