Hey all, Quick question, every once in a while (via portsentry) I see the following appear in /var/log/messages May 20 13:34:25 pipedream kernel: Packet log: input DENY eth0 PROTO=6 203.133.11.2:1543 xxx.xxx.xx.xxx:111 L=60 S=0x00 I=41515 F=0x4000 T=47 SYN (#66) May 20 14:08:05 pipedream kernel: Packet log: input DENY eth0 PROTO=6 136.145.187.100:1442 xx.xx.xxx.xxx:111 L=60 S=0x00 I=40735 F=0x4000 T=49 SYN (#66) it's being denied, but am I right in believing that's port 66 which is for Oracle SQL? or is it something else. The other ones I see is 11, and occasionally 69 I only get maybe a few of these a day, similar addresses each day, but nothing else from them, no other probes or queries show up. I checked the addresses and their definately not my DHCP server or servers I've used. -- S.Toms - smotrs@mindspring.com - www.mindspring.com/~smotrs SuSE Linux v7.0+ - Kernel 2.2.18 Hacker's Law: The belief that enhanced understanding will necessarily stir a nation to action is one of mankind's oldest illusions.
No, the port here is 111, which is portmap. Someone is trying to get to your sunrpc services, and they're being denied. Perfectly normal, I get about two dozen of those a day. Regards Anders On Wednesday 23 May 2001 20:01, S.Toms wrote:
Hey all, Quick question, every once in a while (via portsentry) I see the following appear in /var/log/messages
May 20 13:34:25 pipedream kernel: Packet log: input DENY eth0 PROTO=6 203.133.11.2:1543 xxx.xxx.xx.xxx:111 L=60 S=0x00 I=41515 F=0x4000 T=47 SYN (#66) May 20 14:08:05 pipedream kernel: Packet log: input DENY eth0 PROTO=6 136.145.187.100:1442 xx.xx.xxx.xxx:111 L=60 S=0x00 I=40735 F=0x4000 T=49 SYN (#66)
it's being denied, but am I right in believing that's port 66 which is for Oracle SQL? or is it something else. The other ones I see is 11, and occasionally 69 I only get maybe a few of these a day, similar addresses each day, but nothing else from them, no other probes or queries show up. I checked the addresses and their definately not my DHCP server or servers I've used.
On Wed, 23 May 2001, Anders Johansson wrote: aj> No, the port here is 111, which is portmap. Someone is trying to get to your aj> sunrpc services, and they're being denied. Perfectly normal, I get about two aj> dozen of those a day. aj> That's right, I forget the port comes after the address, my stupid. Thanks for the reminder :) aj> Regards aj> Anders aj> aj> On Wednesday 23 May 2001 20:01, S.Toms wrote: aj> > Hey all, aj> > Quick question, every once in a while (via portsentry) I see the aj> > following appear in /var/log/messages aj> > aj> > May 20 13:34:25 pipedream kernel: Packet log: input DENY eth0 PROTO=6 aj> > 203.133.11.2:1543 xxx.xxx.xx.xxx:111 L=60 S=0x00 I=41515 F=0x4000 T=47 SYN aj> > (#66) May 20 14:08:05 pipedream kernel: Packet log: input DENY eth0 PROTO=6 aj> > 136.145.187.100:1442 xx.xx.xxx.xxx:111 L=60 S=0x00 I=40735 F=0x4000 T=49 aj> > SYN (#66) aj> -- S.Toms - smotrs@mindspring.com - www.mindspring.com/~smotrs SuSE Linux v7.0+ - Kernel 2.2.18 Feel disillusioned? I've got some great new illusions ...
* S.Toms
Hey all, Quick question, every once in a while (via portsentry) I see the following appear in /var/log/messages
May 20 13:34:25 pipedream kernel: Packet log: input DENY eth0 PROTO=6 203.133.11.2:1543 xxx.xxx.xx.xxx:111 L=60 S=0x00 I=41515 F=0x4000 T=47 SYN (#66) May 20 14:08:05 pipedream kernel: Packet log: input DENY eth0 PROTO=6 136.145.187.100:1442 xx.xx.xxx.xxx:111 L=60 S=0x00 I=40735 F=0x4000 T=49 SYN (#66)
it's being denied, but am I right in believing that's port 66 which is for Oracle SQL? or is it something else. The other ones I see is 11, and occasionally 69 I only get maybe a few of these a day, similar addresses each day, but nothing else from them, no other probes or queries show up.
Excuse me but the only thing I see here is 203.133.11.2 from source port 1543 is trying to reach your ip to destionation port 111 which is according to /etc/services is sunrpc request. AFAIK requests to port 111 is very common unless you have in your logs to other ports as you say there may be other probes but this is clearly rpc request good you are denying -- Togan Muftuoglu
On Wed, 23 May 2001, Togan Muftuoglu wrote:
tm> * S.Toms
On Wed, 23 May 2001, S.Toms wrote:
The other ones I see is 11, and occasionally 69
in firewall_forensics Version 0.4.1, June 20, 2000 http://www.robertgraham.com/pubs/firewall-seen.html Copyright 1998-2000 by Robert Graham (firewall-seen@robertgraham.com. _____________________________________________ 11 sysstat This is a UNIX service that will list all the running processes on a machine and who started them. This gives an intruder a huge amount of information that might be used to compromise the machine, such as indicating programs with known vulnerabilities or user accounts. It is similar the contents that can be displayed with the UNIX "ps" command. ICMP doesn't have ports; if you see something that says "ICMP port 11", you probably want ICMP type=11. 69 TFTP (over UDP). Many servers support this protocol in conjunction with BOOTP in order to download boot code to the system. However, they are frequently misconfigured to provide any file from the system, such as password files. They can also be used to write files to the system. 111 sunrpc portmap rpcbind Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in scanning a system looking for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate service enabled, s/he will then run an exploit against the port where the service is running. Note that by putting a logging daemon, IDS, or sniffer on the wire, you can find out what programs the intruder is attempting to access in order to figure out exactly what is going on. ____________________________ Where to get a more complete list of port info: ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers "Assigned Numbers" RFC, the official source for port assignments. http://advice.networkice.com/advice/Exploits/Ports/ Database of port numbers, hyper-linked to various exploits on those port numbers. __________________________________ best wishes -- ____________ sent on Linux ___________
participants (4)
-
Anders Johansson
-
S.Toms
-
tabanna
-
Togan Muftuoglu