I see the firewall logs dropping packages to ports that are not even listed on /etc/services, so I assume they are some kind of worm, exploit, or whatever trying to communicate with a pal program, or whatever they do. So, just for curiosity sake... Is there an easy way of knowing what are they trying to do? I mean, is there some web page, for example, that document somehow what the attempt to connect to those ports are trying to do? The name of the worm, exploit, hack, whatever, dangers, etc? For example, different IPs are trying me on port 4242, others on 5327, or 4662. What are they? -- Cheers, Carlos Robinson
Carlos E. R. wrote:
Is there an easy way of knowing what are they trying to do?
Open the port(s) and use netcat to see what the connection tries to do e.g. netcat -l -p 4242
For example, different IPs are trying me on port 4242, others on 5327, or 4662. What are they?
These could be anything .. 4242 gets used a lot for all kinds of things, my Zaurus listens on 4242 for FTP connections. sjb
Carlos E. R. wrote:
Is there an easy way of knowing what are they trying to do?
Maybe ~ ........................................... FAQ: Firewall Forensics (What am I seeing?) http://www.robertgraham.com/pubs/firewall-seen.html ............................................ best wishes ____________ sent on Linux ____________
----- Original Message -----
From: "Carlos E. R."
I see the firewall logs dropping packages to ports that are not even listed on /etc/services, so I assume they are some kind of worm, exploit, or whatever trying to communicate with a pal program, or whatever they do.
So, just for curiosity sake...
Is there an easy way of knowing what are they trying to do? I mean, is there some web page, for example, that document somehow what the attempt to connect to those ports are trying to do? The name of the worm, exploit, hack, whatever, dangers, etc?
For example, different IPs are trying me on port 4242, others on 5327, or 4662. What are they?
These ports are likely to be used by p2p softwares like KaZaA, eDonkey, eMule, Overnet .... For instance port 4662 is for eDonkey and eMule users. Don't worry about it, they only test if your port is open for p2p. In my Firewall I only allow the ports I need. Catimimi.
-- Cheers, Carlos Robinson
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The 03.04.23 at 11:28, Catimimi wrote: First, thank to all that answered.
These ports are likely to be used by p2p softwares like KaZaA, eDonkey, eMule, Overnet .... For instance port 4662 is for eDonkey and eMule users. Don't worry about it, they only test if your port is open for p2p.
I don't worry: I'm just curious to know what they are trying to access. I get more curious when I see a fixed IP number (with reverse DNS working, ie, a real name) trying the same port every day: 5327.
In my Firewall I only allow the ports I need.
Me too :-) -- Cheers, Carlos Robinson
On 04/23/2003 10:26 AM, Carlos E. R. wrote:
I see the firewall logs dropping packages to ports that are not even listed on /etc/services, so I assume they are some kind of worm, exploit, or whatever trying to communicate with a pal program, or whatever they do.
So, just for curiosity sake...
Is there an easy way of knowing what are they trying to do?
Check out www.dshield.org. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace of God, I am what I am.
participants (5)
-
Carlos E. R.
-
Catimimi
-
Joe Morris (NTM)
-
pinto
-
sjb