From owner-freebsd-security Mon Oct 11 2:51:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail0.mco.bellsouth.net (mail0.mco.bellsouth.net [205.152.48.12]) by hub.freebsd.org (Postfix) with ESMTP id 5C4DA14CE4 for ; Mon, 11 Oct 1999 02:51:13 -0700 (PDT) (envelope-from bertke@bellsouth.net) Received: from bellsouth.net (adsl-78-196-151.sdf.bellsouth.net [216.78.196.151]) by mail0.mco.bellsouth.net (3.3.4alt/0.75.2) with ESMTP id FAA02803; Mon, 11 Oct 1999 05:51:29 -0400 (EDT) Message-ID: <3801B35F.4451ED2F@bellsouth.net> Date: Mon, 11 Oct 1999 09:52:31 +0000 From: bK X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: "N. N.M" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 31789 scanning and ... References: <19991010073125.93991.qmail@hotmail.com> <199910102037.OAA11369@mt.sri.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org By default a traceroute uses 33435 as the first packet. "udp", IPPROTO_UDP, sizeof(struct udphdr), 32768 + 666, udp_prep, udp_check It is initialized at 33434 but is incremented by one before being sent to make 33435. Of course someone could use the -p option with traceroute to alter the destination port. OTOH straight from: http://www.robertgraham.com/pubs/firewall-seen.html 31789 Hack-a-tack UDP traffic on this port is currently being seen due to the "Hack-a-tack" RAT (Remote Access Trojan). Looks some kiddies might be loose. As always keep your virus software updated; it might not hurt to look at the data in the UDP packets and research this trojan more. Bert Nate Williams wrote: > > 1) I have IPFW and by studying its daily logs I found out that somebody > > scans the port 31789 of all the servers and even clients in my network. What > > can be potentially found on this port? > > If it's a UDP packet, it's probably someone running traceroute. > > > 2) There was another log entry in the log files which makes no sense for me. > > That is as the follow: > > > > Oct 9 23:21:43 firewall /kernel: ipfw: 147 Deny TCP Y.Y.Y.Y X.X.X.X in via > > ed1 Fragment = 147 > > This happens with buggy stacks, and is common. I see it often from my > Win95 boxes.... > > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message