I occasionally see connect attempts coming from
>random hosts on the internet to some of the web servers
>I maintain to TCP port 524.
> I understand this is used Novell as part of their
>protocol stack.
> Should I just block these at the border router and
>forget about them the same as I do with udp/137 which
>is a Windows PC trying to do a netbios name lookup ?
>(is it the same thing - the default way a machine works
>as opposed to an active exploit?)
If you are not running Novell I guess you can forget it. The connection
attempts are made because it existed a vulnerability back in Linux RedHat
6.2, and they are hoping to find an old, unpatched machine.
Cheers,
Joakim
Joakim von Braun phone +46-(0)8-428 95 05
von Braun Consultants cell phone +46-(0)709-56 16 42
Kristinehovsgatan 14
SE-117 29 Stockholm, SWEDEN
The Trojan Database: http://www.simovits.com/trojans/trojans.html
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
