[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <004d01c43055$3ae5d230$0100a8c0@cparena1consol>
From: lee at seethrusec.co.uk (lee@...thrusec.co.uk)
Subject: A rather newbie question
Like anything its all about what you may have or what they want, your logs
show a few different ports but port 60096 stands out.
I get these logs all day and get hit all day, whats systems do you use? what
bandwidth have you got? are you actually seeing a degrade in browsing
performance? you may just be a random product of the NET like the rest of
us.
Tell us a little more about your system. as far as nmap-ing well, didnt know
that was illegal depends on your country,
here info from port 60096 anyways, hope it helps you.
Port number: 60096
Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat
Enterprise 3
Common service(s): client
Service description(s): Outgoing client connections from systems.
Common server(s): RPC based services, Windows Messaging Service.
Common client(s): All client software (SSH, Web clients, etc.)
Common problem(s): Insecure client software
Encrypted options: Not applicable
Secure options: Not applicable
Firewalling recommendations: Block inbound connections to client ports,
allow outgoing connections and returning packets (keep state)
Attack detection: As a general rule data coming in to client ports that is
not part of an established connection is likely an attack. Exceptions exist
of course, such as FTP, various instant messenger protocols, file sharing
protocols, IRC's DCC, and so on.
Related ports: 32768 and other client ports
Related URL(s):
http://seifried.org/security/os/linux/20011005-linux-port-behavior.html
Other notes: Port 32768 is the first port used by the operating system for
outbound connections, thus it is likely you will see outbound connections
from port 32768 and up. If you run netstat on Red Hat Linux or UNIX you will
see something like:
[root@...ky web]# netstat -vatn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 10.2.3.4:32768 10.3.4.5:22
ESTABLISHED
tcp 0 0 10.2.3.4:32769 10.9.3.4:80
ESTABLOSHED
Lee @ STS
http://www.seethrusec.co.uk
Building Knowledge and Security..
----- Original Message -----
From: "Schmidt, Michael R." <Michael.Schmidt@...obile.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Sunday, May 02, 2004 8:41 AM
Subject: [Full-Disclosure] A rather newbie question
> If someone could take a quick look through my log file - it is very simple
and shows a bazillion requests that are being bounced off my firewall. I
would really appreciate it. My ISP didn't care and didn't respond when I
let him know about all this traffic that was wasting MY bandwidth. And then
they were upset when I nmapped back to a few addresses and hit some upstream
providers router - oh well, live and learn. They told me they would
terminate my contract if I kept that up. Hey I was just trying to find out
who the freaks were that are constantly attacking MY network.
> Anyway, what I am looking for is confirmation that even though I may be
new - I am not losing my brains or paranoid, thanks.
> I have updated all my systems to the latest patch version - but I'll tell
you, it is the users inside the firewall that cause the most problems. All
our machines have antivirus, all have antispyware, but they are used by my
kids and sometimes their friends, and therein lies the problem, but hanging
out in the background with you guys has opened my eyes to the craziness out
there. How is a "normal" citizen supposed to keep their computer safe on
the Internet? I don't think it is possible.
>
>
Powered by blists - more mailing lists