Re: [fw-wiz] OT? New compromise.

Probably way off base, but port 1720, isn't that part of H323? And isn't
1863 part of MSN Messenger?

First thing I do when any "new" traffic pops up is do a sniff or TCPDump
{use the -s 1500 and -w filename options} of the traffic to see what is
actually there {usually I use our firewalls, but I also use wireshark at
the workstation, or I will mirror a port on the switch and use another
machine to do the actual capture. A sniff will also give you the
traffics "IP destination". Once this is done, at your leisure, you can
either block the destination or block the port.

Once you determine there might be an issue, I think there used to be a
program called openports which would run on the machine and relate any
LISTENING or ESTABLISHED ports to the actual file that has the port
open. This would then give you the service/process/program waiting for
traffic on that port.
firewall-wizards mailing list