"Robert Davies" <[EMAIL PROTECTED]> wrote: > > Oct 6 23:17:50 www kernel: IP fw-in deny eth0 UDP 127.0.0.1:4412 > > 255.255.255.255:47624 L=80 S=0x00 I=14054 F=0x0000 T=128 > > Is there DHCP knocking around? Believe 255.255.255.255 broadcasts > used by it.
Yes, I have seen BOOTP traffic. However, these recent messages are different in several ways: 1) the loopback address 127.0.0.1 is used (before, it was various class C IPs) 2) the ports are 4412 and 47624 (before, they were the BOOTP ports 67 and 68) 3) the port 4412 is actually incremented, up to 4460, like in a scan (before, only the first, class C, IP address changed -- the ports stayed the same) The only typical services I could find in that range were: krb524 4444/udp # Kerberos 5 to 4 ticket xlator nv-video 4444/udp # NV video Tod abl.com
