From owner-freebsd-security Mon May 24 7:56:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id C5FF214E89 for ; Mon, 24 May 1999 07:56:20 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id AAA23607; Tue, 25 May 1999 00:26:15 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA32582; Tue, 25 May 1999 00:27:11 +0930 Date: Tue, 25 May 1999 00:27:11 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Kiril Mitev Cc: Dag-Erling Smorgrav , greg@qmpgmc.ac.uk, freebsd-security@freebsd.org Subject: Re: Server trying to connect to Port 113 In-Reply-To: <199905241422.PAA02615@idea.co.uk> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 May 1999, Kiril Mitev wrote: > > "Greg Quinlan" writes: > > > So will it effect anything by opening port 113? ...(getting 2000 or so log > > > entries from the same server) > > > > Don't log, or at least, don't log connections to ports to which you > > excpect benign (if misguided) traffic, such as auth and the netbios > > ports. > > i beg to disagree, any access attempt from 'outside' to any netbios > ports are 99% indicative of a break-in attempt. Windows machines like to attempt NetBIOS connections to remote machines in the Internet under certain circumstances when you attempt a TCP/IP connection. I think it's the fault of Internet Exploder mostly - usually it's port 137, but port 138 and 139 are seen occasionally (they're other NetBIOS control ports). I think it's trying to do a WINS lookup in parallel with your TCP connection or something. I see lots out outgoing NetBIOS packets on my network, not just incoming ones. To be sure, there are a lot of forged or malign packets floating around as well, but they're not all bad. I don't know what the heck is wrong with the Windows TCP stack, BTW[1]. I see all kinds of bizarre traffic outgoing from the machines on the LAN at work (which isn't even that big). By far the strangest would have to be a Lose'95 machine which likes to address its packets in reverse byte order: 4.3.2.1 for 1.2.3.4. Go figure :-) Kris [1] Rhetorical question. ----- "Never criticize anybody until you have walked a mile in their shoes, because by that time you will be a mile away and have their shoes." -- Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message