-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pedro;
If you go to http://www.sans.org/newlook/resources/IDFAQ/oddports.htm You will find that port 4000 is a Trojan called Skydance and port 62459 is not listed. (I would suspect that it hasn't been added to the list yet or perhaps the user of the Trojan altered the port it uses. Nick Nanos - -----Original Message----- From: Pedro Zorzenon Neto [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 11, 2001 10:07 AM To: [email protected] Subject: ipchains log (62459 UDP port) Hi, I'd like to know to which service these packets belong. I got if from ipchains kernel log in my machine: Apr 11 12:43:10 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 205.188.153.99:4000 200.183.58.81:62459 L=93 S=0x00 I=8195 F=0x4000 T=240 (#12) Apr 11 12:43:22 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=8196 F=0x4000 T=240 (#12) Apr 11 12:44:08 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=65485 F=0x4000 T=240 (#12) Apr 11 12:44:32 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65486 F=0x4000 T=240 (#12) Apr 11 12:44:38 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65487 F=0x4000 T=240 (#12) ... and some more like these... When I seek this port I get: #nmap -sU -p 62459 -v localhost WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Host localhost (127.0.0.1) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost (127.0.0.1) The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports. No ports open for host localhost (127.0.0.1) Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds looking about the other IP: - ---- $ whois 205.188.153.99 America Online, Inc (NETBLK-AOL-DTC) 22080 Pacific Blvd Sterling, VA 20166 US - ---- I wasn't accessing any page from AOL at the time this log was written... Is there anything unsafe in my system??? anything to worry about? Thanks in advance, Pedro - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBOtRxjqMRGat91zK1EQKI0ACfYSjR2QWD0OTEhYysm8LD49CpYUMAoPFj TDrxSYSwH35Vu6qhPs+qZe+V =TSiL -----END PGP SIGNATURE-----
