[Cialug] Odd log entries on RH7.2 box

Jerry Weida cialug@cialug.org
Sun, 5 Dec 2004 07:10:05 -0600


The only time I've seen traffic to port 0, it was either a port-scan
or a DoS attack.  Most operating systems don't fall victim to this
kind of attack any longer.  Probably nothing to worry about as long as
you have confirmed that there is no listening service on these ports.


On Sun, 05 Dec 2004 01:16:38 +0000, timwilson011@mchsi.com
<timwilson011@mchsi.com> wrote:
> I was looking through my logs, and I noticed some odd entries.  I am seeing many
> ACCEPTed entries from ipchains (over 800 this week) in /var/log/messages.  The
> source ports are 0, 3, 8, 11, and 12.  The dest ports are 0, 1, 3, or 13.  I've
> looked up these ports at iana.org, but it says port 0, 8, and 12 are reserved or
> unassigned (the dest ports of 1 and 13 are tcpmux and daytime).  I don't have
> anything running on these ports.  For the ones trying to connect to port 0, all
> but 43 came from one of 2 addresses, both of these addresses belong to yahoo.com
> (for example, UNKNOWN-217-146-185-137.yahoo.com).  It seems odd to me there
> would be access on these ports, especially port 0.  I'm curious if I need to
> block any of the dest ports being hit.  Anyone have any ideas, suggestions, or
> comments?  Why would these ports be accessed?
> 
> --
> Tim W.
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
>