If they are internal addresses, have you: 1. checked to see if the machine is alive (ping or a 'polite' port scan) - if it is, ask the operator if he knows anything, or ask to be allowed to check yourself what is running on it. It's possible that it is not a spoofed address but rather an infected machine.
2. checked if other machines are getting hit that way? do you have access to more machines, preferably in your subnet, or even better can you log/sniff the network traffic in your subnet? to see what else those addresses are doing? 3. examined the payload to see what is happening? you can try setting up a netcat listener and just sending the output to a text file to see what the attacker is trying to do. 4. reported it to your computer security helpdesk or whatever there is at UC Irvine? they may be able to correlate it with activity happening all over the network. That many hits does not sound like any kind of live/smart attacker. It sounds more like a script or a virus. It sounds particularly like a virus/worm if there are more and more machines joining in. They may be looking for infected machines (that were infected in another manner entirely) that would be listening on that port. I would be happy to help you more if you like. Just send me email with the results of the four things above. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -----Ursprüngliche Nachricht----- Von: Charley Hamilton [mailto:[EMAIL PROTECTED] Gesendet: Tuesday, July 08, 2003 6:19 PM An: 'Security Basics Mailing List' Betreff: Re: What runs on TCP 55317? Thanks for the hints. I was apparently unclear about the situation a little. I got several replies suggesting I use activeports/fport/etc. I wanted to clarify that there isn't anything *listening* on 55317, just a number of machines hitting that port. I'll take a look around regarding the 'bots. Sselt didn't yield much. Thanks again, Charley -- Charles Hamilton, PhD EIT Faculty Fellow Department of Civil and Phone: 949.824.3752 Environmental Engineering FAX: 949.824.2117 University of California, Irvine Email: [EMAIL PROTECTED] --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
