????? Something new ??????
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: ????? Something new ??????

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    ????? Something new ??????

    I'm sat here, minding my own business, just outside Detroit..... Having watched tha Lions beat my Raiders..... , and I take a look at my firewall..... It's filled with the following:-

    FWIN,2003/11/02,16:28:18 -5:00 GMT,200.244.8.49:2074,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:18 -5:00 GMT,12.219.154.217:3966,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:20 -5:00 GMT,203.106.59.148:3048,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:26 -5:00 GMT,193.170.2.89:4481,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:42 -5:00 GMT,207.28.191.115:1104,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:44 -5:00 GMT,24.27.111.49:62183,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:46 -5:00 GMT,202.8.253.213:1773,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:46 -5:00 GMT,24.27.111.49:62184,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:46 -5:00 GMT,66.156.21.163:32969,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:48 -5:00 GMT,212.160.133.5:4324,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:28:48 -5:00 GMT,24.27.111.49:62185,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:12 -5:00 GMT,193.170.2.89:4500,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:14 -5:00 GMT,200.53.245.29:3410,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:28 -5:00 GMT,217.236.21.237:3694,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:34 -5:00 GMT,65.34.124.219:3625,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:42 -5:00 GMT,213.65.59.172:65187,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:58 -5:00 GMT,24.27.111.49:62274,192.168.1.100:3162,TCP (flags:S)
    FWIN,2003/11/02,16:29:58 -5:00 GMT,24.27.111.49:62278,192.168.1.100:3162,TCP (flags:S)

    It's every minute or so.... as you can see..... What is port 3162?

    There seems to be no real description of it's use out there.... So what is the activity?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    http://www.sflm.net/Faqs.html <-- perhaps it's this?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm wondering if it has something to do with the StatTracker I'm using from Yahoo..... But it is coming in from so many addresses I'm not sure.... I can't see how StatTracker would spread itself around so much.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Do an netstat -a and see what comes up. Do you actually have this port open? Have you traced those addresses to their origins?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member
    Join Date
    Sep 2003
    Posts
    279
    i would go with MSMittens suggestion.
    AntiOnline Quick Forum Version 2b Click Here
    10010101000000110010001100111

  6. #6
    Banned
    Join Date
    Jun 2003
    Posts
    1,302
    Ok. Tiger I don't know about the Stat Tracker thing. I had it for the first 3 weeks and my Wall wasn't going
    Ape ****. I am curious what do you get when you run netstat -a or n

    You probably have another type of tool that let's you view what ports are open. Take a look at it.

    I haven't heard much about that Port though. Give me a sec I will call my friend and have him do a check to see if he
    has that port open.

    Damnit you just reminded me I don't change my roster.
    Shiiiiiiiiiiiiiiiit

  7. #7
    Junior Member
    Join Date
    Jan 2002
    Posts
    7
    http://www.foundstone.com/index.htm?...desc/fport.htm

    Check out "Fport" from Foundstone... needs to run on a command prompt (from M$)

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The setup I have is a wireless laptop on the DMZ port of a linksys WAP. The laptop has ZoneAlarm on it and I monitor it through VisualZone so the Netstat's won't help. All this activity is being blocked so I'm not worried, I'm more interested to see if someone else is seeing this huge bump in activity against this one port.

    I sit at this machine every day for a couple of hours and have had the visualzone set to "knock-knock" when incoming is blocked. I had not received a single call for this port in the previous week and a half at least - then all of a sudden I'm getting them from all over at a rate of 100/hour or so.

    Ms. M: If that license manager you found is the only thing one could expect to find on that port on a regular basis my guess is there's an exploit out there against it.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    That's the only thing I could find as a server product. There were other "SFLM" products that seemed to be manufacturing items (Something Floor Line Manager/Manufacturing).

    I looked for an exploit but nothing came out directly. There could be exploits or there could be a DNS misconfiguration pointing to the Licensing product but giving the wrong address.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ms. M: Damn, you're a s nutty as me being on the computer this early.....

    DNS error is a possibility I guess but the SFLM site isn't very clear about what the heck it licenses so I wonder why so many of these, clearly, home machines from all over the world would be looking for it.... Looking around the app seems to be *nix only and I nmapped a couple of boxes and they look a lot like windows boxes to me..... <shhhh, that'll be our little secret.... >

    I'll be taking a good look through my firewall logs when I get to work to see if I have been picking it up there too. I'll tell you what I find there at about 8:30-9:00 EST. If I'm not seeing it there too then your DNS theory definitely holds more water.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •