Microsoft SQL server listens on that port (1433)...there's a worm going around that is looking for unprotected SQL server hosts. Hopefully this doesn't wrap:
http://securityresponse.symantec.com/avcenter/venc/data/digispid.b.worm.html Hope that helps Tony -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 14, 2002 6:09 PM To: Jon Clausen; [EMAIL PROTECTED] Subject: Re: [leaf-user] What's this guy trying? port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen <[EMAIL PROTECTED]> wrote: > Logged into a remote Dachstein box to check up on > something else, and I > see huge amounts of denied packets in > /var/log/messages... > > Connection attempts from f.x: > > 10.131.224.1:3 -> 62.243.222.62:1 > ^^unknown^^ ^^my remote^^ > > I see a bunch of these from different IPs (that is, from > port 3 to port > 1)... dunno what to make of that, but then there's this > guy: > > # grep 65.82.107.120 $_ | nl > 1 Oct 14 15:05:56 skilderhus kernel: Packet log: > input DENY eth0 > PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 > I=5685 F=0x0000 T=45 > (#2) > > <continues in 'bursts' to:> > ... > > 164 Oct 14 15:06:07 skilderhus kernel: Packet log: > input DENY eth0 > PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 > I=5866 F=0x0000 T=45 > (#2) > > is this some kind of DoS? Am I under attack, or is it > just some > misconfigured box? > > I nmapped the IP, and the only thing that came up was: > Port State Service > 1433/tcp open ms-sql-s > > -so I'm guessing it's a zombie windows host... (?) > > TIA > > Jon Clausen ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
