On Wed, 23 May 2001, S.Toms wrote:
The other ones I see is 11, and occasionally 69
in firewall_forensics Version 0.4.1, June 20, 2000 http://www.robertgraham.com/pubs/firewall-seen.html Copyright 1998-2000 by Robert Graham (firewall-seen@robertgraham.com. _____________________________________________ 11 sysstat This is a UNIX service that will list all the running processes on a machine and who started them. This gives an intruder a huge amount of information that might be used to compromise the machine, such as indicating programs with known vulnerabilities or user accounts. It is similar the contents that can be displayed with the UNIX "ps" command. ICMP doesn't have ports; if you see something that says "ICMP port 11", you probably want ICMP type=11. 69 TFTP (over UDP). Many servers support this protocol in conjunction with BOOTP in order to download boot code to the system. However, they are frequently misconfigured to provide any file from the system, such as password files. They can also be used to write files to the system. 111 sunrpc portmap rpcbind Sun RPC PortMapper/RPCBIND. Access to portmapper is the first step in scanning a system looking for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd, rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate service enabled, s/he will then run an exploit against the port where the service is running. Note that by putting a logging daemon, IDS, or sniffer on the wire, you can find out what programs the intruder is attempting to access in order to figure out exactly what is going on. ____________________________ Where to get a more complete list of port info: ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers "Assigned Numbers" RFC, the official source for port assignments. http://advice.networkice.com/advice/Exploits/Ports/ Database of port numbers, hyper-linked to various exploits on those port numbers. __________________________________ best wishes -- ____________ sent on Linux ___________