Re: Keep connecting to remote host on port 7869

In-Reply-To: <20021026093047.GA30704@xxxxxxxxxxxxx>

After detailed investigation, I've found that it is really caused by PHP 
debugger. All packet disappeared after I have turned off the debugging 
feature of PHP. But what caused the PHP debugging to remotely sending 
information out ? Is it a sign of hacker or actually there are some bugs 
with the PHP programs ? Coz I am running squirrel mail on that mail server.

>Received: (qmail 17458 invoked from network); 26 Oct 2002 21:21:22 -0000
>Received: from outgoing2.securityfocus.com (HELO 
outgoing.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 26 Oct 2002 21:21:22 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id 284B88F28C; Sat, 26 Oct 2002 14:03:19 -0600 (MDT)
>Mailing-List: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:incidents-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:incidents-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:incidents-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list incidents@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for incidents@xxxxxxxxxxxxxxxxx
>Received: (qmail 11258 invoked from network); 26 Oct 2002 08:54:42 -0000
>Date: Sat, 26 Oct 2002 09:30:47 +0000
>From: Luis Bruno <lbruno@xxxxxxx>
>To: incidents@xxxxxxxxxxxxxxxxx
>Subject: Re: Keep connecting to remote host on port 7869
>Message-ID: <20021026093047.GA30704@xxxxxxxxxxxxx>
>Mail-Followup-To: incidents@xxxxxxxxxxxxxxxxx
>References: <20021025030417.1973.qmail@xxxxxxxxxxxxxxxxxxxxxx>
>Mime-Version: 1.0
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>In-Reply-To: <20021025030417.1973.qmail@xxxxxxxxxxxxxxxxxxxxxx>
>User-Agent: Mutt/1.3.28i
>X-Warning: Personal opinions beyond this line.
>X-Message-Flag: When your hammer is C++, everything begins to look like a 
thumb.
>X-Send-Missiles-To: Viseu, Portugal - UTM 29T 629481 E 4511776 N - 576m
>
>Frank Cheong wrote:
>> My redhat linux mail host keeps connecting to other remote host quite
>> frequently on remote port 7869.
>> [snip]
>> Below is the firewall log (IP address being modified) :
>> 
>> 10/23/2002 11:13:36.640 -     TCP connection dropped -     
>> Source:123.123.123.123, 51321, LAN -     
>> Destination:234.234.234.234, 7869, WAN -     Type: 786 -
>>      Rule 66
>
>If your frewall drops the connection thru a TCP RST, change it so that
>it silently drops the packets. This will make the linux box hang waiting
>for a timeout.
>
>Then execute:
>
>       netstat -tanp | grep <port>
>
>on the linux box, where <port> is the source port you see in the Source:
>line on your firewall logs.
>
>--------------------------------------------------------------------------
--
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com