×

Good News Everybody!

The new search engine is LIVE!

Please report any problems to david (at) midrange.com.



  1.  Home
  2. MIDRANGE-L
  3. August 2001

Re: system under attack?

Yea,

        The remote port is not real critical in the process, it's the target
port of the Server/Connection being requested that would stay constant, the
source port is just pulled off a range of available for connections !
Still think the Win/95 PCs are trying to locate a mounted resource that is
missing somewhere and was defined as a netbios connection.  If you have a
sniffer you could take the packet apart to find out for sure...

http://www.iana.org/assignments/port-numbers

netbios-ssn     139/tcp    NETBIOS Session Service
as-servermap    449/tcp    AS Server Mapper
vp2p            8473/tcp    Virtual Point to Point


Since it's after mid-night here it is time to crash....  Good luck..

JMS...
=======
Jeffrey M. Silberberg
Independent Consultant
CompuDesigns, Inc.
Atlanta, GA.

AS SOON AS I KNOW THE ANSWERS
THEY CHANGE THE QUESTIONS

----- Original Message -----
From: srichter <srichter@mail.autocoder.com>
To: <midrange-l@midrange.com>
Sent: Wednesday, August 15, 2001 11:54 PM
Subject: Re: system under attack?


> Jeffrey,
>
> The branch/site that is the source of the trouble only has win95 pc's.
Only 1 pc shows up with activity in NetStat right now. NetStat shows the
local port as 139, 449, 8470 and 8473. Mostly 449 ( as-svrmap ). The remote
port keeps on incrementing by 2 within the range of 1500 to 4000.
>
> Steve Richter
>
>
> ---------- Original Message ----------------------------------
> From: "Jeffrey Silberberg" <jsilberberg@mindspring.com>
> Reply-To: midrange-l@midrange.com
> Date: Wed, 15 Aug 2001 23:36:50 -0400
>
> >Steve,
> >
> >        I would look for a Windoze or UNIX/SMB server that is down, that
> >normally supplies a mount to the systems on this segment.  I think you
are
> >seeing a client attempting to re-mount a shared disk partition somewhere,
> >and your iSeries box is seeing the requests.  NOTE: There is a major
change
> >to these messages in V4R5 documented in the Memo to users.  You
could/should
> >look at your routers to see what ports are being passed, and if you are
not
> >mounting any of the IFS stuff close off these requests with a deny rule.
> >
> >        Also, you could do an Exit program to drop theseon the floor, but
> >depending on the volume this could busy the connection to the point of
> >becoming a Denial-of-service storm so I would rather see you block it on
the
> >router..
> >
> >    From the Web Site Document : http://www.faqs.org/faqs/firewalls-faq/
> >For example, a web server running on NT might be vulnerable to a number
of
> >denial-of-service attacks against such services as RPC, NetBIOS and SMB.
> >These services are not required for the operation of a web server, so
> >blocking TCP connections to ports 135, 137, 138, and 139 on that host
will
> >reduce the exposure to a denial-of-service attack.
> >
> >HUM: Second night in a row of I quoted from here !!
> >
> >Jeffrey M. Silberberg
> >Independent Consultant
> >CompuDesigns, Inc.
> >
> >AS SOON AS I KNOW THE ANSWERS
> >THEY CHANGE THE QUESTIONS
> >
> >
> >
> >
> >
> >----- Original Message -----
> >From: srichter <srichter@mail.autocoder.com>
> >To: <midrange-l@midrange.com>
> >Sent: Wednesday, August 15, 2001 10:21 PM
> >Subject: Re: system under attack?
> >
> >
> >> >Depending on your version of OS/400, there may be PTFs to fix your
> >> >problem.  See, for example, PTF SF60551.  What version of OS/400 are
you
> >>
> >> v4r4.
> >> ptf sf60551 is perm applied.
> >>
> >> Its pretty wild.
> >> With all the msgs, the system is creating an 800k history log file
every
> >15 minutes.
> >> I asked the night person at the branch to power off all the pc's. And
the
> >NetStat activity continues.  He must have missed a pc.
> >> I vary off all the devices and controllers, no chg. ( pc must be ip
> >connected instead of netsoft )
> >> When I hold the "QPWFSERVSO" job, the NetStat activity stops. But we
> >released it again because we dont know what the job does and the impact
of
> >holding it.
> >>
> >> The plan is to call ibm in the morning.
> >>
> >> Thanks Gary,
> >>
> >> Steve Richter
> >>
> >>
> >> _______________________________________________
> >> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> >list
> >> To post a message email: MIDRANGE-L@midrange.com
> >> To subscribe, unsubscribe, or change list options,
> >> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> >> or email: MIDRANGE-L-request@midrange.com
> >>
> >
> >
> >_______________________________________________
> >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> >To post a message email: MIDRANGE-L@midrange.com
> >To subscribe, unsubscribe, or change list options,
> >visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> >or email: MIDRANGE-L-request@midrange.com
> >
> >
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.