Re: weired logs
Hans-J. Ullrich schrieb: Hi all, Hi, just a question. I found this entry in my logs: Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. It looks like my host tried to connect to c105.cloudmark.com port:2703. I never tried to do this, so this might be caused by an application (which might be a security hole), someone attacked me, or this was caused by my running tor. What is port 2703 ? The port 2703 not regular prometheus ~ # grep 2703 /etc/services -- no results After i spend some time on google for you i found this interesting article: http://www.auditmypc.com/port/udp-port-2703.asp it seems to be an application for sms transfering or sth. stupid like that. Try to locate the port by using netstat and isolate the socket and the matching PID of the process. The rest should be a piece of cake :) Regards Best Regards Hans Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: weired logs
On Thursday 08 November 2007, Hans-J. Ullrich wrote: Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. 7476 The number between the square brackets is the process ID of whatever generated the message. check is the process name it is using, but that might be too generic. Since the pocess ID doesn't seems change for each message, have a look to whatever that is. Ernest -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: weired logs
Jan schrieb: Hans-J. Ullrich schrieb: Hi all, Hi, just a question. I found this entry in my logs: Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. It looks like my host tried to connect to c105.cloudmark.com port:2703. I never tried to do this, so this might be caused by an application (which might be a security hole), someone attacked me, or this was caused by my running tor. What is port 2703 ? The port 2703 not regular prometheus ~ # grep 2703 /etc/services -- no results After i spend some time on google for you i found this interesting article: http://www.auditmypc.com/port/udp-port-2703.asp it seems to be an application for sms transfering or sth. stupid like that. Try to locate the port by using netstat and isolate the socket and the matching PID of the process. The rest should be a piece of cake :) Addition: I took a look on cloudmark.com after my first response. It seems to be a security company providing anti spam services (including sms spam protection). Where is your machine located? Did you rent it? If yes that could explain why the machine tried to connect to a service on this site. Maybe your provider is using security features provided by cloudmark?! :) Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: weired logs
Am Donnerstag 08 November 2007 schrieb Jan: Hans-J. Ullrich schrieb: Hi all, Hi, just a question. I found this entry in my logs: Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. It looks like my host tried to connect to c105.cloudmark.com port:2703. I never tried to do this, so this might be caused by an application (which might be a security hole), someone attacked me, or this was caused by my running tor. What is port 2703 ? The port 2703 not regular prometheus ~ # grep 2703 /etc/services -- no results After i spend some time on google for you i found this interesting article: http://www.auditmypc.com/port/udp-port-2703.asp it seems to be an application for sms transfering or sth. stupid like that. Try to locate the port by using netstat and isolate the socket and the matching PID of the process. The rest should be a piece of cake :) Hi Jan, there is no port 2703 beeing used. IMO my host is trying to connect to cloudmark.com at port 2703 (outgoing traffic) without my interaction. And THIS is a security hole. Otherwise someone made my host try to connect to this. This should be hamstrunged ! I will watch this, if I might find out, which application was attacked, I will inform the maintainer. Thanks for your help ! Regards Best Regards Hans Jan Cheers Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: weired logs
Am Donnerstag 08 November 2007 schrieb Jan: Jan schrieb: Hans-J. Ullrich schrieb: Hi all, Hi, just a question. I found this entry in my logs: Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:21 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. It looks like my host tried to connect to c105.cloudmark.com port:2703. I never tried to do this, so this might be caused by an application (which might be a security hole), someone attacked me, or this was caused by my running tor. What is port 2703 ? The port 2703 not regular prometheus ~ # grep 2703 /etc/services -- no results After i spend some time on google for you i found this interesting article: http://www.auditmypc.com/port/udp-port-2703.asp it seems to be an application for sms transfering or sth. stupid like that. Try to locate the port by using netstat and isolate the socket and the matching PID of the process. The rest should be a piece of cake :) Addition: I took a look on cloudmark.com after my first response. It seems to be a security company providing anti spam services (including sms spam protection). Where is your machine located? Did you rent it? If yes that No, my machine is my notebook at home, but it is running night and day. could explain why the machine tried to connect to a service on this site. Maybe your provider is using security features provided by cloudmark?! Hmm, relating to this, my idea is, it could be, that spamassassin tried to connect to cloudmark.com. I did not discover cloudmark.com in the web somehow. So it might be no attack at all. I think, I will pay attention at all, but forget about this case. :) Jan Thanks for any help ! Regards Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: weired logs
What is port 2703 ? Nothing special. Well tor seems to be assembling quite some networking infrastructure. Utility http servers like privoxy or eisfair (used with TOR) can be configured to connect through unusual ports. Astaro anti-spam update also used port 2703. If you really need to track it install wireshark. Or use simple commandline tools like ps, ping, whois, nmap. # ping c105.cloudmark.comrk.com PING c105.cloudmark.com (208.83.136.25) 56(84) bytes of data. From 64.95.143.66 icmp_seq=5 Packet filtered From 64.95.143.66 icmp_seq=11 Packet filtered From 64.95.143.66 icmp_seq=12 Packet filtered # whois 208.83.136.25 OrgName:Cloudmark, Inc. OrgID: CLOUD-2 Address:128 King St. City: San Francisco StateProv: CA PostalCode: 94107 Country:US # whois 64.95.143.66 Internap Network Services PNAP-05-2000 (NET-64-94-0-0-1) 64.94.0.0 - 64.95.255.255 CloudMark INAP-SJE-CLOUDMARK-1064 (NET-64-95-143-64-1) 64.95.143.64 - 64.95.143.71 http://www.cloudmark.com/ Anti-spam, Anti-virus and Anti-phishing for Service Providers hth m°
Re: weired logs
Am Donnerstag 08 November 2007 schrieb Ernest jw ter Kuile: On Thursday 08 November 2007, Hans-J. Ullrich wrote: Nov 7 21:02:25 protheus2 check[7476]: [ 3] Unable to connect to c105.cloudmark.com:2703; Reason: Connection refused. 7476 The number between the square brackets is the process ID of whatever generated the message. check is the process name it is using, but that might be too generic. Since the pocess ID doesn't seems change for each message, have a look to whatever that is. Ernest Hi Ernest ! Ah, yes, now it becomes all sense ! The process with number 7476 was spamd. With the information by Jan it is confirming my thoughts: spamd is connecting to a provider, which inhibits spam: cloadmark.com. And cloudmark.com was not reachable. So everything is expalining it by itself. I forgot, that the number in brackets is the PID (shame on me !), I should have known better ! Thank you (and all the other ones, who helped) for your informations ! Cheers Hans -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: weired logs
Hmm, relating to this, my idea is, it could be, that spamassassin tried to connect to cloudmark.com. I did not discover cloudmark.com in the web somehow. So it might be no attack at all. I think, I will pay attention at all, but forget about this case. That's almost certainly razor, running as a SA plugin. Mike. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]