'RE: 370 & 371/udp /answer to the $64K question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipchains-list
Subject:    RE: 370 & 371/udp /answer to the $64K question
From:       Clyde Parliament <clyde.parliament () flexserv ! com>
Date:       2001-02-16 14:16:00
[Download RAW message or body]

I finally determined the culprit:  DataLifeLine 
http://www.westerndigital.com/products/drives/lifeline.html
from WD.  I thought I was downloading tools; I see now that I did not!  I 
checked TaskMangler and found it running and put 2 + 2 together.  ipchains 
saves the day again!

===== Original Message from John Sage <jsage@finchhaven.com> at 2/15/01 
10:40 pm
>Clyde:
>
>http://www.snort.org/Database/portsearch.asp
>
>offers a good source for checking port usage.
>
>For 370 it returns:
>
>370 udp codaauth2
>370 tcp codaauth2
>
>and for 371:
>
>371 udp Clearcase
>371 tcp Clearcase
>
>I have no idea what these are, but if these ports were involved in
>(known) exploits, the name of the exploit is returned, like this:
>
>23 tcp ODD Packet - Utlors Telnet Trojan
>
>HTH..
>
>- John
>
>--
>John Sage
>FinchHaven, Vashon Island, WA, USA
>http://www.finchhaven.com/
>mailto:jsage@finchhaven.com
>And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"
>
>Clyde Parliament wrote:
>>
>> Has anyone seen an exploit using these ports?  I finally configured my
>> firewall to remote log to a central server, and while checking out my
>> handywork, I noticed several DENY entries in the wee hours of the morning.
>> I was surprised for several reasons: who they were going to, and, that they
>> came from my personal workstation.  I did do a reverse lookup (obviously),
>> but I am going to refrain from revealing the entity they were directed to
>> until I find out more info.
>> Any help would be appreciated; I realize this might be off-topic, but I know
>> the powers-that-be spend  a great deal of time analyzing firewall scripts
>> and log output.
>>
>> TIA
>>
>> Clyde L. Parliament
>> President
>> Flexserv Inc.
>> PMB-C225
>> 1498 Buford Hwy. N.E.
>> Sugar Hill, GA 30518
>>
>> Voice:              678-317-0261
>> Fax:                 678-942-2950
>>
>> Email              mailto:clyde.parliament@flexserv.com
>> Web:               http://www.flexserv.com

Clyde L. Parliament
President
Flexserv Inc.
PMB-C225
1498 Buford Hwy. N.E.
Sugar Hill, GA 30518

Voice:              678-317-0261
Fax:                 678-942-2950

Email              mailto:clyde.parliament@flexserv.com
Web:               http://www.flexserv.com

Clyde L. Parliament
President
Flexserv Inc.
PMB-C225
1498 Buford Hwy. N.E.
Sugar Hill, GA 30518

Voice:              678-317-0261
Fax:                 678-942-2950

Email              mailto:clyde.parliament@flexserv.com
Web:               http://www.flexserv.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic