I discovered what it was. 205.188.153.99 is one of mirabilis icq servers. The logs were the packets of the messages that I received in GnomeICU :-)
Now I think there isn't much to worry about... Sorry for asking such a stupid question. Pedro On Wed, Apr 11, 2001 at 11:00:30AM -0400, Nick Nanos wrote: > > Pedro; > > If you go to http://www.sans.org/newlook/resources/IDFAQ/oddports.htm > > You will find that port 4000 is a Trojan called Skydance and port > 62459 is not listed. (I would suspect that it hasn't been added to the > list yet or perhaps the user of the Trojan altered the port it uses. > > Nick Nanos > > - -----Original Message----- > From: Pedro Zorzenon Neto [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 11, 2001 10:07 AM > To: [email protected] > Subject: ipchains log (62459 UDP port) > > > Hi, > > I'd like to know to which service these packets belong. I got if from > ipchains kernel log in my machine: > > Apr 11 12:43:10 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 > 205.188.153.99:4000 200.183.58.81:62459 L=93 S=0x00 I=8195 F=0x4000 > T=240 (#12) > Apr 11 12:43:22 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 > 205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=8196 F=0x4000 > T=240 (#12) > Apr 11 12:44:08 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 > 205.188.153.99:4000 200.183.58.81:62459 L=49 S=0x00 I=65485 F=0x4000 > T=240 (#12) > Apr 11 12:44:32 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 > 205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65486 F=0x4000 > T=240 (#12) > Apr 11 12:44:38 milho kernel: Packet log: input ACCEPT eth1 PROTO=17 > 205.188.153.99:4000 200.183.58.81:62459 L=94 S=0x00 I=65487 F=0x4000 > T=240 (#12) > ... and some more like these... > > When I seek this port I get: > #nmap -sU -p 62459 -v localhost > WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF > Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], > www.insecure.org/nmap/) > Host localhost (127.0.0.1) appears to be up ... good. > Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost > (127.0.0.1) > The UDP or stealth FIN/NULL/XMAS scan took 0 seconds to scan 1 ports. > No ports open for host localhost (127.0.0.1) > Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds > > looking about the other IP: > - ---- > $ whois 205.188.153.99 > America Online, Inc (NETBLK-AOL-DTC) > 22080 Pacific Blvd > Sterling, VA 20166 > US > - ---- > I wasn't accessing any page from AOL at the time this log was > written... > > Is there anything unsafe in my system??? anything to worry about? > > Thanks in advance, > > Pedro
