Hi Firewallers,
I had a little 'incident' last nite. Some AT&T Global dialup customer with
apparently nothing better to do but sit and monitor his Blackice (or
whatever) logs called, wrote, paged and spammed everyone here because he
claimed we were 'port-scanning' his machine. A portion of his logs that he
sent follows:
FWIN,2000/09/06,18:28:18 -8:00
GMT,208.x.x.x:44224,32.102.x.x:1101,UDP
FWIN,2000/09/06,18:28:18 -8:00
GMT,208.x.x.x:44227,32.102.x.x:1109,UDP
FWIN,2000/09/06,18:29:18 -8:00
GMT,208.x.x.x:44232,32.102.x.x:1101,UDP
FWIN,2000/09/06,18:29:18 -8:00
GMT,208.x.x.x:44235,32.102.x.x:1109,UDP
FWIN,2000/09/06,18:30:20 -8:00
GMT,208.x.x.x:44237,32.102.x.x:1101,UDP
It appears that our FW module (208.x.x.x) was repeatedly trying to connect
to his UDP port 1101 and 1109 for a period of about 18 minutes. My logs show
nothing for this period. Any of you bright sparks have a guess as to what
this might have been?
UDP 1101 is apparently pt2-discover (registered by siemens.de), but apart
from that I have no clue on this one. Any takers? Thanks,
Ian
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
