[Dshield] Recent Submission - Possible Firewall Misconfiguration

Keith Bergen keith at keithbergen.com
Wed Oct 8 13:17:39 GMT 2003


It may be that the server at is running a 
service like IRC. IRC will connect back to the ident port 
(113) to acquire a user name. It is pretty much a throw-back 
to the initial IRC clients that ran text-based on Unix. Most 
IRC clients just ignore these requests, or they fake 
responses to them. It used to be a security feature of IRC, 
but is now largely unused. Ident is probably used for other 
things too, but my exposure to it has only been from the IRC 

As far as the other connects, I'm not sure. Obviously :25 is 
an smtp port.

What kind of services are you running on your side?

I did check, and is running a web site, but 
it's in Spanish.


---- Original message ----
>Date: Tue, 07 Oct 2003 22:21:34 -0400
>From: Bruce & Roma <ecarew2531 at rogers.com>  
>Subject: [Dshield] Recent Submission - Possible Firewall 
>To: list at dshield.org
>I have a question about one of my recent DShield submissions.
>Source IP:
>Source Port 4733 & 4734 (Twice on each port)
>Dest Port 113
>Color coded on DShield as Possible Firewall Misconfiguration
>However when I check the IP Info there were 11 other 
>seeing similar activity.  Stats were:
>Total Records Against IP: 244
>Number of Targets: 11
>Date Range: 2003-09-13 to 2003-10-07
>Port            Attacks
>113             118
>25                73
>34409               8
>35307               6
>2002                6
>35393               6
>1967                6
>35412               6
>34410               6
>2058                6
>With a number of DShield submitters seeing similar activity
>from the same IP over this period of time, is this really a
>"Firewall Misconfiguration"?
>The hostname associated with this IP was 
>registered to PANGEIA INFORMATICA LTDA in Brazil

More information about the list mailing list