home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] is this a known exploit?

Typically those ports are registered to IRC servers, so on initial blush I
would say yes, it's possible it is an exploit, but I don't really have more
information than that off the top of my head.

On Fri, Oct 3, 2008 at 10:57 AM, Alex H. Vandenham <ahv [ at ] avantel [ dot ] ca> wrote:

> I'm seeing tcp traffic originating from my server going from the
> 'Registered'
> ports to the port range of 6660-7000.  I do not see a pattern to the
> destination addresses but there are many.  I run 'netstat' fairly regularly
> and can't recall seeing this before.
>
> I've temporarily blocked outgoing traffic to those ports so they are all in
> the 'SYN_SENT' state.  It does not appear to be causing my known apps to
> suffer??
>
> The server is old - running FC5 with incoming traffic limited to smtp and
> http
> by a dedicated firewall/router.  The sw is as up-to-date as the FC5
> repositories (ie. outdated)
>
> I've searched google for known vulnerabilities but have not found anything
> that matches what I'm seeing.  Is it just something I've missed all this
> time
> or a true change/problem?  If it's a problem, I suppose it's time for an
> update to something more recent . . .
>
> Any ideas / suggestions / help appreciated.
>
> Thanks;
>
> Alex V.
> ====
>
> --
> This message has been scanned for viruses and
> dangerous content by Avantel Systems, and is
> believed to be clean.
>
> _______________________________________________
> Linux mailing list
> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> http://oclug.on.ca/mailman/listinfo/linux
>

references