shoshana@koko.UUCP (Shoshana Abrass) (11/30/90)
Has anyone else seen the following in their SYSLOG, and/or can anyone explain it: Nov 28 15:28:45 magritte rlogind[5547]: \ Connection from 99.1.0.63 on illegal port 1257 This has happened several times, on several hosts, with different port #'s and from different remote hosts. The remote host (99.1.0.63) is a known host on our network. It's possible that our in-house software is doing the wrong thing.... but I don't think we're doing any homegrown rlogin stuff. -shoshana pdi!shoshana@sgi.com
srp@babar.mmwb.ucsf.edu (Scott R. Presnell) (11/30/90)
shoshana@koko.UUCP (Shoshana Abrass) writes: > Has anyone else seen the following in their SYSLOG, and/or can anyone > explain it: > Nov 28 15:28:45 magritte rlogind[5547]: \ > Connection from 99.1.0.63 on illegal port 1257 The straight forward explanation is that rlogind is expecting a connection from a reserved port (ports in the range of 512 to 1023 - see the man page for rresvport(3), rcmd, rsh and rlogin use it), if the port is not in that range, rlogind is assuming that this is a security breach. > This has happened several times, on several hosts, with different port #'s > and from different remote hosts. The remote host (99.1.0.63) is a known > host on our network. It's possible that our in-house software is doing > the wrong thing.... but I don't think we're doing any homegrown rlogin > stuff. But the fact that it happening *from* multiple, different hosts is odd... Maybe some other program/deamon has got it screwed up and is calling the (r)login port (513/tcp in /etc/services) by accident? Or maybe the entry in /etc/services got changed? - Scott -- Scott Presnell +1 (415) 476-9890 Pharm. Chem., S-926 Internet: srp@cgl.ucsf.edu University of California UUCP: ...ucbvax!ucsfcgl!srp San Francisco, CA. 94143-0446 Bitnet: srp@ucsfcgl.bitnet