Security Incidents mailing list archives
Re: Port 17889 - new attack?
From: James Willmore <jwillmore () cyberia com>
Date: Thu, 11 Oct 2001 01:37:27 -0400
As of the writing of this email, I have not seen anymore of these packets. However, would this theory hold true if the servers (5 that I saw and emailed the admins of) on different subnets all sent packets at generally the same time? Does this portal act as a distributed network - allowing many servers communicate at the same time? I take it that since it's an ecommerce portal, that maybe all these servers need to reconcile books at the same time? On Tue, 9 Oct 2001 12:07:05 -0400 "Christian Sarmoria" <cgsarmor () ecs syr edu> wrote:
Could be Netlet, on its default configuration, since Netlet server listens on ports 9877 and 9878, and connects to ports 17888 and 17889 on the intranet server 'intra-serv', respectively. Although it could be something else out there connecting to your machine on port 17889, you can take a look at Netlet (iPlanet Portal Server too) at: http://docs.iplanet.com/docs/manuals/portal/30/ag/netlet.htm It's quite long, but do a 'find' for '17889' in the loaded web page to go to the relevant part of the document. Good luck. Christian. ----- Original Message ----- From: "James Willmore" <jwillmore () cyberia com> To: <focus-virus () securityfocus com>; <incidents () securityfocus com>; <SECURITY-BASICS () securityfocus com> Sent: Tuesday, October 09, 2001 1:51 AM Subject: Port 17889 - new attack?This is an email sent to me by SWATCH. I've gotton quite a few of thesepackets from various sources. What is this?? Although I have dropped the packet, I wonder what this is.Any ideas, thoughts, answers are welcomed. Thanks. Begin forwarded message: Date: Tue, 9 Oct 2001 01:34:22 -0400 From: root <root@xxxx> To: root@xxxx Subject: 'SWATCH - Droped packet' Oct 9 01:34:15 xxxx kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=SRC=172.180.19.4 DST=x.x.x.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63493 DF PROTO=TCP SPT=21027 DPT=17889 WINDOW=8192 RES=0x00 SYN URGP=0-- Jim Willmore jwillmore () cyberia com ----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- Jim Willmore jwillmore () cyberia com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 17889 - new attack? James Willmore (Oct 09)
- Re: Port 17889 - new attack? Christian Sarmoria (Oct 09)
- Re: Port 17889 - new attack? James Willmore (Oct 11)
- Re: Port 17889 - new attack? Arta (Oct 11)
- Re: Port 17889 - new attack? James Willmore (Oct 11)
- Re: Port 17889 - new attack? Christian Sarmoria (Oct 09)