RE: help with log analysis [7:67581] posted 04/22/2003
- Subject: RE: help with log analysis [7:67581]
- From: "Matthew Webster" <nobody@xxxxxxxxxxxxxx>
- Date: Tue, 22 Apr 2003 03:45:45 GMT
as far as I can see the following is happening:
(1) source host 22.214.171.124 is talking from source port 477 to port 6588
on you rmachine. See for details onm who owns the souirce ip address space.
Port 477 is the ss7ns port. I suspect that thi scould be something to do
with the telco standard SS7 (for signalling networks), but you can check
with Jean-Michel URSCH (ursch@xxxxxxxxxxxxxxxxx) for more details. Generally
these port are viewed as well known and hopefully there will be a standard
available to tell you how it works - but no guarantees.
(2) source hpst 126.96.36.199 is talking from source port 49152 to port 22
on your machine. This one is a little more interestiong, as it means that
host 188.8.131.52 is trying to attempt a secure shell login (ssh) to your
(3) source host 184.108.40.206 (port 34353) is talking to your machine on
destinatino prot 49152, which is the same port as the source machine in (2).
220.127.116.11 belongs to a Canadian ISP - backland.net.
(4) host 18.104.22.168 belongs to Bellsouth and while I'm trying to find out
what (8/0) means this is an ICMP packet telling you rmachine of some traffic
problems/processes at a network layer (e.g. ping, traceroute, destinatino
unreachable). A similar thing is happening with source host 22.214.171.124
(a customer of Deutsche Telecom).
(5) Lastly source host 126.96.36.199 (source port 4031) is talking to your
machine (destinatino port 46170). This is also interesting as 4031 is a
registered port for UUCP-SSL. SSL is the secure shell login that transmits
all information over an encrypted link after the link is set up. UUCP is a
UNIX utility that copies files from one system (or machine) to another
system (or machine). Find out more from Harald Welte . Host 188.8.131.52
belongs to a customer of EUNET in Finland.
Sorry if you knew this stuff already. HTH.
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx