Anyone have any ideas why I would be seeing hits directed to my on port
113 -- all around the same time? Would this have anything to do with doing
a make for a port out of the ports package???

Thanks!

-Mike

21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556088
0,nop,wscale 0> (DF)
21:49:28.434534 204.152.189.120.36950 > x.x.x.x.113: SWE
3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556388
0,nop,wscale 0> (DF)
21:49:34.437467 204.152.189.120.36950 > x.x.x.x.113: SWE
3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556988
0,nop,wscale 0> (DF)
21:49:52.223520 212.50.10.144.51429 > x.x.x.x.113: S
2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334979793
0,nop,wscale 0> (DF) [tos
0x80]
21:49:55.215158 212.50.10.144.51429 > x.x.x.x.113: S
2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980093
0,nop,wscale 0> (DF) [tos
0x80]
21:50:01.214326 212.50.10.144.51429 > x.x.x.x.113: S
2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980693
0,nop,wscale 0> (DF) [tos
0x80]
21:50:08.110055 200.89.74.17.1288 > x.x.x.x.113: S 3341661485:3341661485(0)
win 5840 <mss 1380,sackOK,timestamp 536892450 0,nop,wscale 0> (DF)
21:50:11.107743 200.89.74.17.1288 > x.x.x.x.113: S 3341661485:3341661485(0)
win 5840 <mss 1380,sackOK,timestamp 536892750 0,nop,wscale 0> (DF)
21:50:17.107070 200.89.74.17.1288 > x.x.x.x.113: S 3341661485:3341661485(0)
win 5840 <mss 1380,sackOK,timestamp 536893350 0,nop,wscale 0> (DF)
21:50:31.272679 195.113.161.73.35431 > x.x.x.x.113: SWE
1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143467926
0,nop,wscale 0> (DF)
21:50:34.271355 195.113.161.73.35431 > x.x.x.x.113: SWE
1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468226
0,nop,wscale 0> (DF)
21:50:40.272963 195.113.161.73.35431 > x.x.x.x.113: SWE
1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468826
0,nop,wscale 0> (DF)
21:50:50.507109 194.192.187.79.48444 > x.x.x.x.113: S
4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541401740
0,nop,wscale 0> (DF)
21:50:53.503095 194.192.187.79.48444 > x.x.x.x.113: S
4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402040
0,nop,wscale 0> (DF)
21:50:59.501702 194.192.187.79.48444 > x.x.x.x.113: S
4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402640
0,nop,wscale 0> (DF)
21:51:04.856518 150.244.30.38.38896 > x.x.x.x.113: SWE
3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92006782
0,nop,wscale 1> (DF)
21:51:07.854746 150.244.30.38.38896 > x.x.x.x.113: SWE
3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007082
0,nop,wscale 1> (DF)
21:51:13.853151 150.244.30.38.38896 > x.x.x.x.113: SWE
3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007682
0,nop,wscale 1> (DF)
21:51:19.770478 212.27.32.66.45304 > x.x.x.x.113: S 2373501279:2373501279(0)
win 5840 <mss 1460,sackOK,timestamp 135424502 0,nop,wscale 0> (DF)
21:51:22.765533 212.27.32.66.45304 > x.x.x.x.113: S 2373501279:2373501279(0)
win 5840 <mss 1460,sackOK,timestamp 135424802 0,nop,wscale 0> (DF)
21:51:28.763736 212.27.32.66.45304 > x.x.x.x.113: S 2373501279:2373501279(0)
win 5840 <mss 1460,sackOK,timestamp 135425402 0,nop,wscale 0> (DF)
21:52:57.302026 130.239.18.137.33709 > x.x.x.x.113: S
2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale 2,nop,nop,timestamp
1068794865 0>
21:53:03.217878 130.239.18.137.33709 > x.x.x.x.113: S
2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale 2,nop,nop,timestamp
1068794876 0>
21:53:09.977973 164.8.6.249.37812 > x.x.x.x.113: S 1734835097:1734835097(0)
win 5840 <mss 1460,sackOK,timestamp 99930917 0,nop,wscale 0> (DF)
21:53:12.970276 164.8.6.249.37812 > x.x.x.x.113: S 1734835097:1734835097(0)
win 5840 <mss 1460,sackOK,timestamp 99931217 0,nop,wscale 0> (DF)
21:53:27.671416 203.8.116.111.53094 > x.x.x.x.113: SWE
3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950438
0,nop,wscale 0> (DF)
21:53:30.666828 203.8.116.111.53094 > x.x.x.x.113: SWE
3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950738
0,nop,wscale 0> (DF)
21:53:36.665948 203.8.116.111.53094 > x.x.x.x.113: SWE
3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515951338
0,nop,wscale 0> (DF)
21:56:17.252274 200.203.120.200.1649 > x.x.x.x.1434: udp 376
22:05:56.676950 128.121.116.162.4479 > x.x.x.x.113: S
3099755125:3099755125(0) win 16384 <mss 1460> (DF)
22:05:59.668883 128.121.116.162.4479 > x.x.x.x.113: S
3099755125:3099755125(0) win 16384 <mss 1460> (DF)
22:06:02.668756 128.121.116.162.4479 > x.x.x.x.113: S
3099755125:3099755125(0) win 16384 <mss 1460> (DF)
22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
3099755125:3099755125(0) win 16384 <mss 1460> (DF)

Port 133 is for IDENT/auth protocol. Some old mail servers still use it
and why routers might not stealth that port (because they don't want to
be known as incompatible with e-mail). My router will even ignore a
firewall defined within it to BLOCK on that port; http://grc.com
Shield's Up still detected the port. I had to define port 113 went to a
host that doesn't exist (and can never exist because the router's DHCP
server can never assigned that IP address). Basically I defined a
virtual server that doesn't exist so any IDENT/auth request vapories
into a bit bucket. See http://grc.com/port_113.htm. Sounds like
someone is probing around to see if you run an ident server and will
report yourself to the probe.

--
__________________________________________________ __________
*** Post replies to newsgroup. E-mail is not accepted. ***
__________________________________________________ __________


"reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
news:vouommprhtc94@corp.supernews.com...

Mike,

As someone else pointed out, port 113 is your ident server's port. The
most common reasons that your ident server would be probed would be either
a) as part of a general, overall port scan, or b) you're connecting to an
IRC server.

Because all of these hits were at roughly the same time, it's unlikely
that they're part of a port scan. Do you use a program such as Trillian to
connect to multiple IRC servers?

It may also be a DDoS attempt, but that's doubtful at best.

--Donald

"reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
news:vouommprhtc94@corp.supernews.com...

That's the odd thing -- I don't use IRC or any such application. And the
addresses listed resolve to a bunch of debian-related sites (at least based
on the names).

The only thing I had going on at the time was installing a port out of the
ports package, which would have been invoking FTPs to the necessary sites.

Weird.....

Thanks for your feedback.

-Mike

"Donald Jacobsen" <dmj@nospam.midsouth.rr.com> wrote in message
news:yqTjb.8395$oC5.2772@clmboh1-nws5.columbus.rr.com...

reshman wrote:

What O/S are you using?

FreeBSD 5.1

"Tommy" <Tommy15@Mail.not> wrote in message
news:1911390.QYd4ZJqnt5@FreeBSD...

reshman wrote:

It sounds like scalper. Have you went to ports and installed 'chkrootkit?'
If not, install it and run it. and see what comes up with.

chkrootkit didn't find anything.

what is scalper?

-Mike

"Tommy" <Tommy15@Mail.not> wrote in message
news:1848528.XzRNta5OcC@FreeBSD...

reshman wrote:

This worm uses the Apache HTTP Server chunk encoding stack overflow
vulnerability to spread itself. Currently it has only been confirmed that
this worm works on the FreeBSD platform. FreeBSD is an advanced operating
system for Intel ia32 compatible, DEC Alpha, and PC-98 architectures. It is
derived from BSD UNIX, the version of UNIX developed at the University of
California, Berkeley. It is developed and maintained by a large team of
individuals.

This worm has received some media coverage but we believe it is currently
not prevalent in the wild. So far, we have not received any customer
reports of this worm. For information regarding the vulnerability, please

You can read more about it below.
http://securityresponse.symantec.com...lper.worm.html
================================================== =======

I connected to an infected Apache server and got hit with it. The server
will start pinging your computer...You may want to run snort and catch a
few packets and see if you get anything from whitehats.com

This is a message from www.whitehats.com
Seeing Cyberkit Ping probes to your network? Great it's a new worm. All I
ask is that you please learn to read your IDS headers and understand which
part is the source address versus the information URL. The part that says
whitehats.com? That is the information URL not the source! Thanks

The only other known security issues I know of in BSD are sendmail and
SSH......If you are using SSH & sendmail make sure you patch them........If
you're not using them disable them from root/rc/config

"reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
news:vouommprhtc94@corp.supernews.com...
What is TCP port 113? As stated by several others TCP port 113 is used
to support the Identification/Authentication protocol. Such may be used
by the server you are attempting to connect to when you are attempting
to connect to the server with either the SMTP, FTP, or IRC protocols.

Why do servers use IDENT/AUTH? As stated above the purpose of using
IDENT/AUTH is that the server you are attempting to connect to, would in
turn attempt to connect to your IP address on TCP port 113 before
allowing you to start the process of transmitting data. If you are/were
hosting an IDENT/AUTH server, information such as your hostname is
passed to the other server. The server in turn would use this
information to identify or authenticate your system and then allow your
system to initiate the sending of the data.

Is IDENT/AUTH mandatory? No, it's not mandatory. Years ago when the
Internet was still in it's infancy, IDENT/AUTH was commonly used, but as
time passed and the Internet exploded in growth. It became less and
less used and as a result many servers will still allow you to connect
even if you don't host an IDENT/AUTH server. It just results in slowing
down the process by a few seconds.


--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".