On 11-Feb-01 Kevin Creason wrote:
I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently using or listening on those ports.
Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN (#51) Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN (#51) Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN (#51)
What does it mean that the firewall accepted a syn packet HSE-Kitchener-ppp233156.sympatico.ca? And is the L or the T signify the protocol line? Anyway-- does this correspond to this: (/etc/protocols) ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
And since I'm not running IPv6, what is the scanner attempting to do me? I've seen this network on my box before. Are they a known bunch of id10t's?
Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven
Apocalypse and Tiles. Refer to www.simovits.com for a list of well known
trojans and their preferred ports.
As these are windows trojans your nodes may not be affected if they all run
Linux/Unix, but you would be better off closing these and other ports by
implementing decent firewalling, say via the SuSE firewall or some other
useable scripts.
---
Boris Lorenz