Re: port 12980/udp

2002-08-05 Thread Javier Fernández-Sanguino Peña
On Sat, Aug 03, 2002 at 11:00:36PM +0200, Arne Schwabe wrote:
 Hi,
 
 today i saw lot of connection attemps to port 12980 on my
 machine. Because that are many[1] and they came from different hosts i
 am wondering what is going on here.
 
 Arne
 
 [1]
 [EMAIL PROTECTED]/var/log$ grep Aug  3 kern.log | grep 12980 | wc -l
 628
 
This questions are starting to become somewhat of a FAQ.
My answer is, if you do not know what port is related to an attack you
are receiving it might be worth checking:

- To see which ports are actively being probed/attack: 
http://isc.incidents.org/ or http://www.dshield.org/ 
(https://analyzer.securityfocus.com/ seems to have had this 
info previously but does not seem to make it public
anymore). More specifically: http://isc.incidents.org/top10.html

- To see what service might be associated to a given port check
http://www.portsdb.org/

Unfortunately a search in any of these regarding 12980
didn't return a thing so you might want to report it to ISC.

Regards

Javi



RE: port 12980/udp

2002-08-05 Thread Ditch, Derek P., MO-ARNG
Higher up ports like that are usually dynamically assigned for two-way
connections, for instance, when I run bitchX and connect to openprojects.net
#Debian, I get one or two connections back to my machine.  You can use
netstat to determine which program is currently listening on a given port.
When I connect to an IRC server the connection going out on that machine is
6667, but the returning connection, which is for data coming back I suppose,
is on a different high numbered port.  perhaps UDP?  Hope this helps.  Check
the netstat manpage

D

-Original Message-
From: Javier Fernández-Sanguino Peña [mailto:[EMAIL PROTECTED]
Sent: Monday, August 05, 2002 5:51 AM
To: Arne Schwabe
Cc: debian-security@lists.debian.org
Subject: Re: port 12980/udp


On Sat, Aug 03, 2002 at 11:00:36PM +0200, Arne Schwabe wrote:
 Hi,
 
 today i saw lot of connection attemps to port 12980 on my
 machine. Because that are many[1] and they came from different hosts i
 am wondering what is going on here.
 
 Arne
 
 [1]
 [EMAIL PROTECTED]/var/log$ grep Aug  3 kern.log | grep 12980 | wc -l
 628
 
This questions are starting to become somewhat of a FAQ.
My answer is, if you do not know what port is related to an attack you
are receiving it might be worth checking:

- To see which ports are actively being probed/attack: 
http://isc.incidents.org/ or http://www.dshield.org/ 
(https://analyzer.securityfocus.com/ seems to have had this 
info previously but does not seem to make it public
anymore). More specifically: http://isc.incidents.org/top10.html

- To see what service might be associated to a given port check
http://www.portsdb.org/

Unfortunately a search in any of these regarding 12980
didn't return a thing so you might want to report it to ISC.

Regards

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]