RE: Probes to strange ports

From: H C (keydet89@yahoo.com)
Date: 03/07/02


Date: Wed, 6 Mar 2002 18:42:46 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: "Kinsey, Robert" <Robert.Kinsey@Veridian.com>, 'Kenneth Wilson ' <barney458@hotmail.com>, "'incidents@securityfocus.com '" <incidents@securityfocus.com>

Robert,

> What KIND of traffic are you seeing on these ports?

It sounded to me (admittedly it's still unclear) as if
the OP was saying that he's seeing probes. Now,
again...at this point we have no real idea what that
means...but it might be simple SYN packets that are
getting dropped, as nothing is listening on those
ports on the target machines.

Some things we'll need to know include:
1. What flags are set on these packets?
2. Are they incoming as well as outbound, or just
incoming?
3. Are they being stopped by a firewall?
4. Are the packets destined to specific machines? If
so, does 'netstat' or 'fport' show anything running on
those machines, using those ports.

> Are they to one
> particular system? If so, have you run any analysis
> tools on it (i.e.
> TDImon, or FileMon, etc...)?

Good suggestions. I'd recommend pslist, listdlls, and
fport, as the output of those tools goes to STDOUT and
can be easily piped off of the box. FileMon and
RegMon might not be necessary...it hasn't been shown
yet that the packets are even reaching the target
boxes.

> Is there any kind of consistency to the packets?
> Are they all TCP or is
> there UDP as well? Is it at a certain time? What
> kind of systems are you
> seeing the activity on? OS? versions? Apps
> involved (if identified)?

All good questions. Just goes to show we need more
folks out there who know how to do Incident Response.

Carv

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: A Few Questions related to Network Administration and Traffic Analysis
    ... > network administration. ... > open ports of all other machines which is fine. ... Lets say I want to administer packets at the router ...
    (Fedora)
  • Re: fastforward/routing: a 3 million packet-per-second system?
    ... Would a system where both processor QPI ports connect to each other ... Allows more interrupts ... I've found about 3 streams between Centos clients is about the best way ... packets errs idrops bytes packets errs bytes colls drops ...
    (freebsd-net)
  • fastforward/routing: a 3 million packet-per-second system?
    ... Would a system where both processor QPI ports connect to each other ... Allows more interrupts ... I've found about 3 streams between Centos clients is about the best way ... packets errs idrops bytes packets errs bytes colls drops ...
    (freebsd-net)
  • Re: Babysitting on iptables requested :-)
    ... Here's the list of ports that I see probed then I take the "Probe my ... this was a friendly probe; all packets were TCP SYNs - ... SYN is a packet that is used to initiate a TCP connection. ... >> between Windows machines, so without this a Windows machine in your ...
    (comp.os.linux.security)
  • Re: Nachi Worm apparently causes "Live Lock" on 4.7 server
    ... >>that send a sudden blast of packets, ... > ports and pull the cables. ... >>If a machine was found to have an open RPC port (we run an open ... to force autoupdates on those client machines. ...
    (freebsd-questions)