Incidents
Source port 445,80 Sep 05 2007 10:47AM
Wong Yu Liang (wong yuliang vads com) (1 replies)
Re: Source port 445,80 Sep 05 2007 09:36PM
Valdis Kletnieks vt edu (1 replies)
On Wed, 05 Sep 2007 18:47:42 +0800, Wong Yu Liang said:

> Lately I've been getting a lot of awkward alerts with source port 445.
> A few different source IP is connecting to one single IP
> from the source port 445 , to random destination high ports.

Is the destination IP address one that could conceivably be calling
the *source* IPs on those ports, and you're looking at the *return* traffic?

If so, it could be that the destination IP is being tricked into visiting
malicious websites and the like, and what you're seeing is the website sending
more malware down the now-open connection....

(Just asking, because for a *long* time, we had to keep a canned response
form for "ntp-1.vt.edu is hacking my ports from its port 123" complaints.
Of course, the *real* story was they enabled NTP, sent us a packet - and then
their firewall software triggered on the reply).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFG3yFScC3lWbTT17ARAu0PAJ9m+4cq3/QuCEItYHMuZIf5yQRKSACfS9u3
B13YfYQTwvrfJkJwfLKUuFw=
=3WlA
-----END PGP SIGNATURE-----

[ reply ]
RE: Source port 445,80 Sep 06 2007 04:17AM
Wong Yu Liang (wong yuliang vads com) (2 replies)
Re: Source port 445,80 Sep 07 2007 07:24AM
scott (redhowlingwolves bellsouth net)
Re: Source port 445,80 Sep 06 2007 04:55PM
Valdis Kletnieks vt edu (1 replies)
RE: Source port 445,80 Sep 07 2007 01:05AM
Wong Yu Liang (wong yuliang vads com) (1 replies)
Re: Source port 445,80 Sep 07 2007 04:15AM
Valdis Kletnieks vt edu


 

Privacy Statement
Copyright 2010, SecurityFocus