Re: 33270:trinity connection form port 80 to local machine on port

From: Valdis.Kletnieks@vt.edu
Date: 10/31/01 

Message-Id: <200110311748.f9VHmSMb024645@foo-bar-baz.cc.vt.edu>
To: Bradley Filmer <bfilmer@ims.telstra.com.au>
Subject: Re: 33270:trinity connection form port 80 to local machine on port 
From: Valdis.Kletnieks@vt.edu
Date: Wed, 31 Oct 2001 12:48:28 -0500

On Wed, 31 Oct 2001 16:11:43 +0800, Bradley Filmer <bfilmer@ims.telstra.com.au> said:
> I am curious as to what this might be, I am seeing hits in my iptables
> logs after visiting certain websites.. mainly
>
> Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46
> ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN
> URGP=0
> This is netbsd.org

Source port 80, an ACK/SYN - looks like you logged the second of a 3-packet
handshake from your SYN sent to netbsd.org. 33270 was an ephemeral port
picked by your browser on the fly.

Sequence:

you:33270 -> netbsd.org:80 SYN
you:33270 <- netbsd.org:80 SYN+ACK (the packet you logged)
you:33270 -> netbsd.org:80 ACK

> Oct 30 11:35:47 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=64.58.76.98 DST=my.adr.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=48
> ID=9741 DF PROTO=TCP SPT=443 DPT=33270 WINDOW=16560 RES=0x00 ACK SYN
> URGP=0
> This is yahoo groups.

Similarly, port 443 is https: (http over SSL).

> Oct 31 09:01:41 stealth kernel: IN=eth0 OUT= MAC= "long number"
> SRC=204.152.186.171 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=51
> ID=23555 PROTO=TCP SPT=80 DPT=33270 WINDOW=32768 RES=0x00 ACK SYN URGP=0
> This is mysql.org

More of same.

> Always 5 hits and I cant tell you how long after. I have checked port

I can't comment on "always 5 hits" because you don't show the logs.
Perhaps you're filtering something incorrectly, causing a retransmit of
the SYN+ACK packet at the far end.

> Looking for paranoia in all the right places

And then some, based on what I see. Maybe seeing all 5 hits might
show something I'm not seeing here, but I'm guessing that it's a broken
iptables config logging things that it shouldnt. 

-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

Relevant Pages

  • Re: Blocking attacks from spoofed IP addresses
    ... and noted a lot of consistent hits ... hits from Hangzhou province and Hebei province (121.16/13, ... The Chinese whois server claims not to own the ... Port 6667 is one used ...
    (comp.os.linux.networking)
  • RE: Logs: Many hits with source port of 80
    ... I have seen similar hits for the past three months. ... Are you sure yours are TCP? ... Subject: Logs: Many hits with source port of 80 ... where the source port is set to tcp 80 and the destination port is some ...
    (Incidents)
  • Re: Port 25 blocking ????
    ... But I should see some hits on my permit statements in my ACL if it was ... If they are port 25 blocking, that would prevent my telnet attempt, ... Timing out is a typical reaction for a firewalled connection. ...
    (comp.dcom.sys.cisco)
  • Re: New program/virus is making the rounds?
    ... >Most hits were port 27374, now almost all are port 1433. ... >What new program hit the web now??? ... which filters the crap out of the emails BEFORE it infects ...
    (comp.security.firewalls)
  • McAfee Personal Firewall
    ... I just purchased the McAfee Personal Firewall this weekend ... the hits that have probably always been there. ... that was using a "Microsoft-DS" service or program. ... If you want to allow traffic on this port, ...
    (microsoft.public.security)