Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
RE: [suse-security] What are these?
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Mon, 12 Feb 2001 12:37:21 +0100 (MET)
  • Message-id: <XFMail.010212123721.bolo@xxxxxxx>

On 11-Feb-01 Kevin Creason wrote:
> I ran 'lsof -i TCP:1243' and on port 2516, but nothing is currently using or
> listening on those ports.
>
> Feb 10 18:45:08 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6
> 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48222 F=0x0000 T=44 SYN
> (#51)
> Feb 10 18:45:09 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6
> 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48254 F=0x0000 T=44 SYN
> (#51)
> Feb 10 18:45:10 dmc12 kernel: Packet log: input ACCEPT ppp0 PROTO=6
> 64.230.156.35:2516 <ISP-given IP>:1243 L=44 S=0x00 I=48288 F=0x0000 T=44 SYN
> (#51)
>
>
> What does it mean that the firewall accepted a syn packet
> HSE-Kitchener-ppp233156.sympatico.ca?
> And is the L or the T signify the protocol line? Anyway-- does this
> correspond to this: (/etc/protocols)
> ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
>
> And since I'm not running IPv6, what is the scanner attempting to do me? I've
> seen this network on my box before. Are they a known bunch of id10t's?

Port 1243 is known to be used by trojan horses like BackDoor-G, SubSeven
Apocalypse and Tiles. Refer to www.simovits.com for a list of well known
trojans and their preferred ports.

As these are windows trojans your nodes may not be affected if they all run
Linux/Unix, but you would be better off closing these and other ports by
implementing decent firewalling, say via the SuSE firewall or some other
useable scripts.

---
Boris Lorenz <bolo@xxxxxxx>
System Security Admin *nix - *nux
---

< Previous Next >
Follow Ups
References