lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: lee at seethrusec.co.uk (lee@...thrusec.co.uk) Subject: A rather newbie question Like anything its all about what you may have or what they want, your logs show a few different ports but port 60096 stands out. I get these logs all day and get hit all day, whats systems do you use? what bandwidth have you got? are you actually seeing a degrade in browsing performance? you may just be a random product of the NET like the rest of us. Tell us a little more about your system. as far as nmap-ing well, didnt know that was illegal depends on your country, here info from port 60096 anyways, hope it helps you. Port number: 60096 Common name(s): client-port on Red Hat Linux 9.0, Fedora Core 1, Red Hat Enterprise 3 Common service(s): client Service description(s): Outgoing client connections from systems. Common server(s): RPC based services, Windows Messaging Service. Common client(s): All client software (SSH, Web clients, etc.) Common problem(s): Insecure client software Encrypted options: Not applicable Secure options: Not applicable Firewalling recommendations: Block inbound connections to client ports, allow outgoing connections and returning packets (keep state) Attack detection: As a general rule data coming in to client ports that is not part of an established connection is likely an attack. Exceptions exist of course, such as FTP, various instant messenger protocols, file sharing protocols, IRC's DCC, and so on. Related ports: 32768 and other client ports Related URL(s): http://seifried.org/security/os/linux/20011005-linux-port-behavior.html Other notes: Port 32768 is the first port used by the operating system for outbound connections, thus it is likely you will see outbound connections from port 32768 and up. If you run netstat on Red Hat Linux or UNIX you will see something like: [root@...ky web]# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 10.2.3.4:32768 10.3.4.5:22 ESTABLISHED tcp 0 0 10.2.3.4:32769 10.9.3.4:80 ESTABLOSHED Lee @ STS http://www.seethrusec.co.uk Building Knowledge and Security.. ----- Original Message ----- From: "Schmidt, Michael R." <Michael.Schmidt@...obile.com> To: <full-disclosure@...ts.netsys.com> Sent: Sunday, May 02, 2004 8:41 AM Subject: [Full-Disclosure] A rather newbie question > If someone could take a quick look through my log file - it is very simple and shows a bazillion requests that are being bounced off my firewall. I would really appreciate it. My ISP didn't care and didn't respond when I let him know about all this traffic that was wasting MY bandwidth. And then they were upset when I nmapped back to a few addresses and hit some upstream providers router - oh well, live and learn. They told me they would terminate my contract if I kept that up. Hey I was just trying to find out who the freaks were that are constantly attacking MY network. > Anyway, what I am looking for is confirmation that even though I may be new - I am not losing my brains or paranoid, thanks. > I have updated all my systems to the latest patch version - but I'll tell you, it is the users inside the firewall that cause the most problems. All our machines have antivirus, all have antispyware, but they are used by my kids and sometimes their friends, and therein lies the problem, but hanging out in the background with you guys has opened my eyes to the craziness out there. How is a "normal" citizen supposed to keep their computer safe on the Internet? I don't think it is possible. > >
Powered by blists - more mailing lists