On Wed, 01. Dec. 1999 at 08:36:06 -0500, Steve Cody wrote:
> When I came in this morning, I noticed a log full of these. The source port
> ranged from 1237 to 1534. The source IP address traces back to a dialup
> account so I am assuming someone was doing some sort of hack attempt. I am
> wondering what this was for, and what could have been gained by connecting
> to this port?
>
> Dec 1 01:11:29 brimstone kernel: Packet log: input DENY eth1 PROTO=6
> 209.195.142.85:1472 12.xx.xx.3:8954 L=48 S=0x00 I=57114 F=0x4000 T=114
>
Maybe the port of a trojan inside your net.
Some trojan contains a notification e.g. per mail that it has been
successfully installed on an host. And this mail also contains the IP.
Check dest IP for any new installed Software.
--
Jens Jahr
* ID-PRO GmbH
* mailto:[EMAIL PROTECTED]
* http://open-for-the-better.com/
PGP signature
