nothing to worry about. It is trying to resolve port numbers using /etc/services. Any port above 1023 is fair game to send requests from. Your machine will respond to that port number. In this case, blackjack is port 1025: # grep -i blackjack ports.txt blackjack 1025/udp # network blackjack George Toft, CISSP, MSIS AGD,LLC www.agdllc.com 623-203-1760 Jim wrote: > I noticed my linux box seemed a bit slow today so I looked around and > found the following when I ran ps-fu root. > > UID PID PPID C STIME TTY TIME CMD > root 1 0 2 02:51 ? 00:00:04 init > root 2 1 0 02:51 ? 00:00:00 [keventd] > root 3 1 0 02:51 ? 00:00:00 [ksoftirqd_CPU0] > root 4 1 0 02:51 ? 00:00:00 [kswapd] > root 5 1 0 02:51 ? 00:00:00 [bdflush] > root 6 1 0 02:51 ? 00:00:00 [kupdated] > root 10 1 0 02:52 ? 00:00:00 [mdrecoveryd] > root 11 1 0 02:52 ? 00:00:00 [kjournald] > root 26 1 0 02:52 ? 00:00:00 [loop0] > root 161 1 0 02:52 ? 00:00:00 [eth0] > root 214 1 0 02:52 ? 00:00:00 [khubd] > root 741 1 0 02:52 ? 00:00:00 /usr/sbin/syslogd > root 744 1 0 02:52 ? 00:00:00 /usr/sbin/klogd -c 3 -x > root 747 1 0 02:52 ? 00:00:00 /usr/sbin/inetd > root 750 1 1 02:52 ? 00:00:01 /usr/sbin/sshd > root 760 1 0 02:52 ? 00:00:00 /usr/sbin/crond -l10 > root 763 1 0 02:52 ? 00:00:00 sendmail: accepting connections > root 773 1 0 02:52 ? 00:00:00 /usr/sbin/httpd > root 775 1 0 02:52 ? 00:00:00 /usr/sbin/gpm -m /dev/mouse -t i > root 778 1 0 02:52 ? 00:00:00 [eth1] > root 802 1 0 02:52 ? 00:00:00 smbd > root 804 1 0 02:52 ? 00:00:00 nmbd > root 805 804 0 02:52 ? 00:00:00 nmbd > root 808 1 0 02:52 tty2 00:00:00 /sbin/agetty 38400 tty2 linux > root 809 1 0 02:52 tty3 00:00:00 /sbin/agetty 38400 tty3 linux > root 810 1 0 02:52 tty4 00:00:00 /sbin/agetty 38400 tty4 linux > root 811 1 0 02:52 tty5 00:00:00 /sbin/agetty 38400 tty5 linux > root 812 1 0 02:52 tty6 00:00:00 /sbin/agetty 38400 tty6 linux > root 813 802 0 02:53 ? 00:00:00 smbd > > I ran ftpwho and it showed only one ftp login. I then ran netwatch and it > showed two connections from different IP addresses. I then ran tcpdump > and it showed the follwing which got my attention. > > > 03:14:36.904761 216-19-216-108.getnet.net.1041 > dsl-082-082-166-008.arcor-ip.net.3352: . 40961:42373(1412) ack 0 win 5840 (DF) > > 03:14:47.336196 216-19-216-108.getnet.net.1040 > dialin-212-144-039-232.arcor-ip.net.blackjack: P 105985:106497(512) ack 0 win 5840 (DF) > > What is this blackjack? Will someone please let me know what kind of > threat this is if any? If it is a threat, what do I do about it? > > Thanks > > Jim > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss