yesterday looking on log of an host in my lan I saw some packets direct to this port 32785. after this I search for a program that run on this port and I find "snmpXdmid" with number of program "100249" this program on solaris run on this way:
rpcinfo -p | grep 100249 100249 1 udp 32785 100249 1 tcp 32786 Also: fuser -v -n tcp/udp:32785 no response = null and: lsof -i tcp/udp:32785 no response = null The problem it's that I haven't this program in my lan no machine hold this service and again i'm not use "solaris" also if think that linux can offer this service. Now this is the output : 14:40:28.888396 192.168.100.3.32785 > my.host.priv.ipp: P 3609975255:3609975286(31) ack 13877360 win 17376 <nop,nop,timestamp 76452 10640185> (DF) 14:40:28.888396 192.168.100.3.32785 > my.host.priv.ipp: P 3609975255:3609975286(31) ack 13877360 win 17376 <nop,nop,timestamp 76452 10640185> (DF) 14:40:28.888481 192.168.100.3.32785 > my.host.priv.ipp: P 31:52(21) ack 1 win 17376 <nop,nop,timestamp 76452 10640185> (DF) 14:40:28.921794 my.host.priv.ipp > 192.168.100.3.32785: . ack 52 win 63712 <nop,nop,timestamp 10641190 76452> (DF) 14:40:28.922278 192.168.100.3.32785 > my.host.priv.ipp: P 52:331(279) ack 1 win 17376 <nop,nop,timestamp 76455 10641190> (DF) 14:40:28.922316 my.host.priv.ipp > 192.168.100.3.32785: . ack 331 win 63712 <nop,nop,timestamp 10641190 76455> (DF) 14:40:28.922463 my.host.priv.ipp > 192.168.100.3.32785: P 1:18(17) ack 331 win 63712 <nop,nop,timestamp 10641190 76455> (DF) 14:40:28.922501 my.host.priv.ipp > 192.168.100.3.32785: P 18:55(37) ack 331 win 63712 <nop,nop,timestamp 10641190 76455> (DF) 14:40:28.922526 my.host.priv.ipp > 192.168.100.3.32785: P 55:73(18) ack 331 win 63712 <nop,nop,timestamp 10641190 76455> (DF) 14:40:28.922860 192.168.100.3.32785 > my.host.priv.ipp: . ack 18 win 17376 <nop,nop,timestamp 76455 10641190> (DF) 14:40:28.922880 my.host.priv.ipp > 192.168.100.3.32785: P 73:224(151) ack 331 win 63712 <nop,nop,timestamp 10641190 76455> (DF) ..................And much more output like this. how can you note the port in matter is always call. And so for much other packets. when this is finish no more packets of this type are was logged. My question is : I'am paranoid to think that this would be an attempt to scan my ports to the search of some exploit? "in this case "snmpXdmid" produce a buffer overflow, Or is Normal traffic?????? Thanks in Advance And sorry for my ugly English :) Bye. Goffredo Saffioti. __________________________________________________________________ TuttoTISCALI e' il tuo nuovo contratto di telefonia! Chiami in tutta Italia, giorno e notte, al prezzo di un'urbana Ti colleghi ad Internet e spendi meno di un'urbana http://point.tiscali.it/tuttotiscali/webmail.html - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
