-
November 2nd, 2003, 10:37 PM
#1
????? Something new ??????
I'm sat here, minding my own business, just outside Detroit..... Having watched tha Lions beat my Raiders..... , and I take a look at my firewall..... It's filled with the following:-
FWIN,2003/11/02,16:28:18 -5:00 GMT,200.244.8.49:2074,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:18 -5:00 GMT,12.219.154.217:3966,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:20 -5:00 GMT,203.106.59.148:3048,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:26 -5:00 GMT,193.170.2.89:4481,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:42 -5:00 GMT,207.28.191.115:1104,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:44 -5:00 GMT,24.27.111.49:62183,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:46 -5:00 GMT,202.8.253.213:1773,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:46 -5:00 GMT,24.27.111.49:62184,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:46 -5:00 GMT,66.156.21.163:32969,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:48 -5:00 GMT,212.160.133.5:4324,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:28:48 -5:00 GMT,24.27.111.49:62185,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:12 -5:00 GMT,193.170.2.89:4500,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:14 -5:00 GMT,200.53.245.29:3410,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:28 -5:00 GMT,217.236.21.237:3694,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:34 -5:00 GMT,65.34.124.219:3625,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:42 -5:00 GMT,213.65.59.172:65187,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:58 -5:00 GMT,24.27.111.49:62274,192.168.1.100:3162,TCP (flags:S)
FWIN,2003/11/02,16:29:58 -5:00 GMT,24.27.111.49:62278,192.168.1.100:3162,TCP (flags:S)
It's every minute or so.... as you can see..... What is port 3162?
There seems to be no real description of it's use out there.... So what is the activity?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 2nd, 2003, 10:49 PM
#2
-
November 2nd, 2003, 11:22 PM
#3
I'm wondering if it has something to do with the StatTracker I'm using from Yahoo..... But it is coming in from so many addresses I'm not sure.... I can't see how StatTracker would spread itself around so much.......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 2nd, 2003, 11:24 PM
#4
Do an netstat -a and see what comes up. Do you actually have this port open? Have you traced those addresses to their origins?
-
November 3rd, 2003, 12:04 AM
#5
i would go with MSMittens suggestion.
AntiOnline Quick Forum Version 2b Click Here
10010101000000110010001100111
-
November 3rd, 2003, 12:18 AM
#6
Ok. Tiger I don't know about the Stat Tracker thing. I had it for the first 3 weeks and my Wall wasn't going
Ape ****. I am curious what do you get when you run netstat -a or n
You probably have another type of tool that let's you view what ports are open. Take a look at it.
I haven't heard much about that Port though. Give me a sec I will call my friend and have him do a check to see if he
has that port open.
Damnit you just reminded me I don't change my roster.
Shiiiiiiiiiiiiiiiit
-
November 3rd, 2003, 01:54 AM
#7
Junior Member
http://www.foundstone.com/index.htm?...desc/fport.htm
Check out "Fport" from Foundstone... needs to run on a command prompt (from M$)
-
November 3rd, 2003, 12:05 PM
#8
The setup I have is a wireless laptop on the DMZ port of a linksys WAP. The laptop has ZoneAlarm on it and I monitor it through VisualZone so the Netstat's won't help. All this activity is being blocked so I'm not worried, I'm more interested to see if someone else is seeing this huge bump in activity against this one port.
I sit at this machine every day for a couple of hours and have had the visualzone set to "knock-knock" when incoming is blocked. I had not received a single call for this port in the previous week and a half at least - then all of a sudden I'm getting them from all over at a rate of 100/hour or so.
Ms. M: If that license manager you found is the only thing one could expect to find on that port on a regular basis my guess is there's an exploit out there against it.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
November 3rd, 2003, 12:12 PM
#9
That's the only thing I could find as a server product. There were other "SFLM" products that seemed to be manufacturing items (Something Floor Line Manager/Manufacturing).
I looked for an exploit but nothing came out directly. There could be exploits or there could be a DNS misconfiguration pointing to the Licensing product but giving the wrong address.
-
November 3rd, 2003, 12:27 PM
#10
Ms. M: Damn, you're a s nutty as me being on the computer this early.....
DNS error is a possibility I guess but the SFLM site isn't very clear about what the heck it licenses so I wonder why so many of these, clearly, home machines from all over the world would be looking for it.... Looking around the app seems to be *nix only and I nmapped a couple of boxes and they look a lot like windows boxes to me..... <shhhh, that'll be our little secret.... >
I'll be taking a good look through my firewall logs when I get to work to see if I have been picking it up there too. I'll tell you what I find there at about 8:30-9:00 EST. If I'm not seeing it there too then your DNS theory definitely holds more water.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|