Are these attempts actually happening when you are browsing these sites? My first thought was that these are probably just probes with spoofed source addresses. Someone is scanning for NFS and M$SQL. However, if they occur in response to your browsing, then I guess not. Obviously, web servers should not be doing this, so I would consider it malicious. Another thought... do you have any port redirection between you and the web servers you are visiting? In other words, is there any chance that these web servers are trying to respond back to you appropriately on a high port, but some of your high ports are being redirected to 2049 and 1433? Total shot in the dark, I know. ...Kevin > -----Original Message----- > From: plug-discuss-admin@lists.PLUG.phoenix.az.us > [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Jay > Kalafus > Sent: Tuesday, December 12, 2000 2:43 PM > To: plug-discuss@lists.PLUG.phoenix.az.us > Subject: Re: Traffic on blocked ports... > > > I guess I didn't state my question well..... Why would a web server > that I was connected to try to gain access to those ports? > > If I am surfing Slashdot all of my interactions with that web server > should be between port 80 on slashdot's server and the port the on my > box that initiated the connection. There should be no traffic from > their server to these ports. > > Why would slashdot want to get a connection to my SQL server (I don't > have one.. ) or to NFS ? And yes, I have seen this traffic come from > slashdot as well as other popular websites. And it is always to ports > 2049 and 1433 not any others. > > Jay...