I wrote:
>Every couple of days we get an attempted connection to port 7777 from
>scripps.edu, so I put a byte sucker on that port to log any received
>data. It seems to be a 4 digit and a 2 digit number separated by a
>comma, followed by a carriage return.
Further investigation made it apparent that the connection to my port
7777 was occuring whenever a connection was made to the remote system's
SMTP port. The data I captured, two comma-separated decimal numbers
followed by a <CR><LF>, is identical to an IDENT query. The second number
was always 25. The lightbulb lights!
I relayed this information to the site's admin. He reports that they
had recently installed a new version of sendmail which does IDENT
queries, but why to port 7777? The admin's latest message to me:
>You were on the right track with your comment about services..
>We are a heavy user of NIS and ident is not a standard Solaris
>/etc/services daemon. I found that the NIS file contained
>an ident entry with an alias of auth.. There was an auth entry
>in the NIS file at port 7777.. I converted it to only use
>a local copy of the services file.. Hopefully, this will cause
>the probing you were seeing to go away.. If it doesn't please
>let me know.. THANKS for the heads-up on the problem!
I don't see this on any of my Solaris systems (not using NIS). I'd
guess that someone had put an "auth" entry in at 7777 to refer to TIS'
authsrv, which uses that port.
^^^^
--
KH
Follow-Ups:
|
|
