RE: Why would my machine do this?

From: Bill Royds (email@royds.net)
Date: 02/08/02


From: "Bill Royds" <email@royds.net>
To: <pmoffitt@wrv.com>, "Incidents" <incidents@securityfocus.com>
Date: Thu, 7 Feb 2002 19:35:44 -0500

Is one of the machines a SGI Irix machine.
SGI uses port 1 for service multiplexing and this may be a communication from the service multiplexor.
It can be pretty chatty with it.

-----Original Message-----
From: Pat Moffitt [mailto:pmoffitt@wrv.com]
Sent: Thu February 07 2002 16:12
To: Incidents
Subject: Why would my machine do this?

I noticed in my logs connections to our firewall machine via UDP port 1. I
thought that odd and investigated.

The packets were not being dropped by IPTABLES, so they had to be related to
another connection. This IP address the connection is coming from is a
trusted address (my room mate is the administrator of that system). So, I
started snort and waited for a response to see what was going on. The
results are below.

The trusted system is one that we sync our firewalls clock with.

We are running Debian with Kernel 2.4.17, IPTables and ntp ver
4.0.99g-2patato2.

Why is what looks like ntp trying to connect out on port 1? I don't know
anything about ntp packets but they are real close to the ones going out
from port 123. Is this something worth exploring further? If so, where do I
go next?

Thanks,

Pat Moffitt
MIS Administrator
Western Recreational Vehicles, Inc.

xx.xx.xx.xx = our firewall systems external address.
yy.yy.yy.yy = trusted outside system I sync my clock with.

Snort -vd 'host yy.yy.yy.yy' provided

02/07-12:21:11.600300 xx.xx.xx.xx:1 -> yy.yy.yy.yy:123
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:76 DF
Len: 56
23 04 06 EF 00 00 20 9A 00 00 40 9E CF 6D BB 42 #..... ...@..m.B
C0 0D 5F F7 F4 9D 8C 6D C0 0D 5F F7 95 33 D2 95 .._....m.._..3..
C0 0D 5F F7 F4 9D 8C 6D C0 0D 60 37 99 A1 87 A4 .._....m..`7....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/07-12:21:11.637692 yy.yy.yy.yy:123 -> xx.xx.xx.xx:1
UDP TTL:55 TOS:0x0 ID:60398 IpLen:20 DgmLen:76
Len: 56
24 03 06 EF 00 00 17 38 00 00 07 98 A5 5B FA D6 $......8.....[..
C0 0D 5E F4 70 B2 B7 77 C0 0D 60 37 99 A1 87 A4 ..^.p..w..`7....
C0 0D 60 37 88 27 B6 FE C0 0D 60 37 88 2C 4D 65 ..`7.'....`7.,Me

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/07-12:21:11.637848 xx.xx.xx.xx -> yy.yy.yy.yy
ICMP TTL:255 TOS:0xC0 ID:16011 IpLen:20 DgmLen:104
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
yy.yy.yy.yy:123 -> xx.xx.xx.xx:1
UDP TTL:55 TOS:0x0 ID:60398 IpLen:20 DgmLen:76
Len: 56
** END OF DUMP
45 00 00 4C EB EE 00 00 37 11 76 50 yy yy yy yy E..L....7.vP....
xx xx xx xx 00 7B 00 01 00 38 15 B1 24 03 06 EF .....{...8..$...
00 00 17 38 00 00 07 98 A5 5B FA D6 C0 0D 5E F4 ...8.....[....^.
70 B2 B7 77 C0 0D 60 37 99 A1 87 A4 C0 0D 60 37 p..w..`7......`7
88 27 B6 FE C0 0D 60 37 88 2C 4D 65 .'....`7.,Me

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com