On Tue, 7 Sep 1999, Dave Gillett wrote:
> Somebody's been sending me UDP packets from, and to, port 1976. Anybody
> recognize this?
Te list of iana assigned ports at:
http://www.isi.edu/in-notes/iana/assignments/port-numbers
says :
tcoregagent 1976/udp TCO Reg Agent
about that port/UDP. Nmap's nmap-services has nothing on it and neither
does http://www.simovits.com/nyheter9902.html which is a list of trojan
ports.
However:
Are you saying that 'someone' has made a UDP connection (what does "from,
and to," mean?) to one of your machines on port 1976? Do you have a
daemon/service for that port/protocol on that machine? Do you have a " TCO
Reg Agent" (sorry dunno what that is...) on that machine? Any unknown or
unauthorized connections on my machines usually say to me that something
is not quite right. Maybe I'm heading for net-loon-hood, but I think you
need to isolate this situation immeidaitely: IE shut down the inet-links
to this machine, NOW. Then pour over it offline to find the daemon and/or
client that is accepting/initiating the connection and understand if its
supposed to be there. ( A file integrity check would also not be out of
order, I suspect.) Call me a looney but I really dont let my machines
have ports open unless I know what's listening on them, and that I made it
so.
Please take this reply with a grain of salt (ok a few) because you didn't
really provide enough specifics, ie what OS you have, what kind of access
control there is to this machine, where it is in your network topology,
if you are the sysadmin on the machine in question, or your responsibility
is for the machine that detected the packets, and not for the internal
machine to which they are destined, etc... Also if the machine outside
your network is expected to be making this 1976/UDP connection or not (I
suspect not, however, I suspect many things, so this is not unusual.. :)
best of luck.
spiff
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
