Traffic on blocked ports...

[Kevin Saling]

Are these attempts actually happening when you are browsing these sites?  My
first thought was that these are probably just probes with spoofed source
addresses.  Someone is scanning for NFS and M$SQL.  However, if they occur
in response to your browsing, then I guess not.

Obviously, web servers should not be doing this, so I would consider it
malicious.

Another thought... do you have any port redirection between you and the web
servers you are visiting?  In other words, is there any chance that these
web servers are trying to respond back to you appropriately on a high port,
but some of your high ports are being redirected to 2049 and 1433?  Total
shot in the dark, I know.

...Kevin


> -----Original Message-----
> From: plug-discuss-admin@lists.PLUG.phoenix.az.us
> [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Jay
> Kalafus
> Sent: Tuesday, December 12, 2000 2:43 PM
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Re: Traffic on blocked ports...
>
>
> I guess I didn't state my question well.....   Why would a web server
> that I was connected to try to gain access to those ports?
>
> If I am surfing Slashdot all of my interactions with that web server
> should be between port 80 on slashdot's server and the port the on my
> box that initiated the connection.  There should be no traffic from
> their server to these ports.
>
> Why would slashdot want to get a connection to my SQL server (I don't
> have one.. ) or to NFS ?   And yes, I have seen this traffic come from
> slashdot as well as other popular websites.  And it is always to ports
> 2049 and 1433 not any others.
>
> Jay...