Security Incidents mailing list archives
Re: tcp 17888
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 8 Oct 2003 08:18:32 -0700 (PDT)
David Comment inline...
While monitoring my firewall I noticed a lot of incoming tcp packets to port 17888. All were dropped, so there has been no damage or intrusion. I fired up tcpdump and let it catch all the packets for 2 hours and using ethereal I found 11105 packets from approx. 30 different sources. All packets had the SYN flag and most of the time there were 3 packets from the same source port. Many of the source ip's had attempts from numerous different ports. Google returned information on "netlet" when queried for "tcp 17888". I am not familiar with netlet, it seems to me to be some type of rpc.
Interesting approach. "I don't know what netlet is, so this traffic must be rpc." What makes you say this? You have only the SYN flag in the packets to go on. Did you find information someplace else that you're not sharing that could explain this?
Since it seems to be rpc my guess is someone looking for another machine to own.
Sometimes this is a good assumption for any probe. However, it seems as if you're making an assumption without a great deal of support...again, why rpc? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- tcp 17888 David Vestal (Oct 08)
- Re: tcp 17888 Harlan Carvey (Oct 08)