From: Jerry Kreps <jerrykreps@jlkreps.net> Date: Fri, 22 Dec 2000 21:11:41 -0600 Message-Id: <00122221114101.00862@JLKreps> Subject: Re: [SLE] Is this TCP activity normal? How about a wild guess: W2K and it's various sublicense holders are reporting back every so often. ?? JLK <p>On Friday 22 December 2000 20:48, Robert C. Paulsen Jr. wrote:
Hello,
I just ran tcpdump and noticed lots of activity that looks suspicious. Here is a small sample:
=================================================================== ================================================ 20:30:29.593736 ns3.texas.net.domain > home.paulsen.org.clvm-cfg: 23921* 1/2/2 PTR fes-d004.icq.aol.com. (181) (DF) 20:30:29.594559 home.paulsen.org.clvm-cfg > ns3.texas.net.domain: 23922+ PTR? 3.0.207.207.in-addr.arpa. (42) 20:30:29.665101 ns3.texas.net.domain
home.paulsen.org.clvm-cfg: 23922* 1/2/2 PTR ns3.texas.net. (158) (DF)
================================================
"home.paulsen.org" is my host. It is actually on a class-c network (192.168.0.1) connected to the Internet via a windows 2K system with a cable modem (roadrunner).
I don't know what cvlm-cfg is, but this shows up several times every minute or so. clvm-cfg is port number 1476.
I also saw activity on several "nearby" ports: genie-lm 1453/tcp # Genie License Manager genie-lm 1453/udp # Genie License Manager interhdl_elmd 1454/tcp # interHDL License Manager interhdl_elmd 1454/udp # interHDL License Manager esl-lm 1455/tcp # ESL License Manager esl-lm 1455/udp # ESL License Manager world-lm 1462/tcp # World License Manager world-lm 1462/udp # World License Manager msl_lmd 1464/tcp # MSL License Manager msl_lmd 1464/udp # MSL License Manager pipes 1465/tcp # Pipes Platform pipes 1465/udp # Pipes Platform mfarlin@peerlogic.com csdmbase 1467/tcp # CSDMBASE csdmbase 1467/udp # CSDMBASE aal-lm 1469/tcp # Active Analysis Limited License Manager aal-lm 1469/udp # Active Analysis Limited License Manager csdmbase 1471/tcp # csdmbase csdmbase 1471/udp # csdmbase csdm 1472/tcp # csdm csdm 1472/udp # csdm openmath 1473/tcp # OpenMath openmath 1473/udp # OpenMath telefinder 1474/tcp # Telefinder telefinder 1474/udp # Telefinder taligent-lm 1475/tcp # Taligent License Manager taligent-lm 1475/udp # Taligent Licen
I saw all wthe above in tcpdump output, in sequential order. There are a few gaps in the list, but that's only because I didn't make a complete record of what was happening. clvm-cfg is the next one on the list.
Should I be worried about a port scan?
-- Scientific theories, according to Sir Karl Popper, can be "falsified," or proven wrong, by experiment. Unscientific theories -Marxist dialectical history and Freudian psychology were Popper's favorites- are formed in such a way that they cannot be falsified by data.