Re: [fw-wiz] OT? New compromise.



Probably way off base, but port 1720, isn't that part of H323? And isn't
1863 part of MSN Messenger?

First thing I do when any "new" traffic pops up is do a sniff or TCPDump
{use the -s 1500 and -w filename options} of the traffic to see what is
actually there {usually I use our firewalls, but I also use wireshark at
the workstation, or I will mirror a port on the switch and use another
machine to do the actual capture. A sniff will also give you the
traffics "IP destination". Once this is done, at your leisure, you can
either block the destination or block the port.

Once you determine there might be an issue, I think there used to be a
program called openports which would run on the machine and relate any
LISTENING or ESTABLISHED ports to the actual file that has the port
open. This would then give you the service/process/program waiting for
traffic on that port.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
    ... And checked the result.txt for what file/service has been accessing the network from or to port TCP 3389 ... Source and destination are relative to which packets you're looking at. ... Check on your internet router whether this 192.168.2.196 being NATed ... Desktop Protocol) traffics from internet to this PC (which most likely ...
    (Security-Basics)
  • Re: Nachweis bei Internetflatrate
    ... Ich hätte gerne eine Aufschlüsselung bspw des Traffics nach Port oder IP. ... ob das nun einmal ein großer Brocken war oder der Router dauernd ...
    (de.soc.recht.misc)
  • Help.. Unwanted network traffic - netbios-ssn port 139
    ... I sniff my network and found that thousands of netbios-ssn traffic ... These traffics were desinated to ... random network segment through port 139 and it causes heavy ...
    (microsoft.public.win2000.networking)
  • Re: Problem sending E-mail to 1 server
    ... If I try the same thing (telnet to port ... Source IP: 64.208.166.12, Destination IP: 66.133.129.70 ... PROTOCOL: ICMP ... Header checksum: 0xEE82 ...
    (microsoft.public.exchange.admin)
  • Re: Why Is Google Connecting to My Mac?
    ... destination: ssl-google-analytics.l.google.com ... wants to connect to ssl-google-analytics.l.google.com on TCP port ...
    (comp.sys.mac.misc)