RE: Probes to strange ports

From: H C (keydet89@yahoo.com)
Date: 03/07/02 

Date: Wed, 6 Mar 2002 18:42:46 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: "Kinsey, Robert" <Robert.Kinsey@Veridian.com>, 'Kenneth Wilson ' <barney458@hotmail.com>, "'incidents@securityfocus.com '" <incidents@securityfocus.com>

Robert,

> What KIND of traffic are you seeing on these ports?

It sounded to me (admittedly it's still unclear) as if
the OP was saying that he's seeing probes. Now,
again...at this point we have no real idea what that
means...but it might be simple SYN packets that are
getting dropped, as nothing is listening on those
ports on the target machines.

Some things we'll need to know include:
1. What flags are set on these packets?
2. Are they incoming as well as outbound, or just
incoming?
3. Are they being stopped by a firewall?
4. Are the packets destined to specific machines? If
so, does 'netstat' or 'fport' show anything running on
those machines, using those ports.

> Are they to one
> particular system? If so, have you run any analysis
> tools on it (i.e.
> TDImon, or FileMon, etc...)?

Good suggestions. I'd recommend pslist, listdlls, and
fport, as the output of those tools goes to STDOUT and
can be easily piped off of the box. FileMon and
RegMon might not be necessary...it hasn't been shown
yet that the packets are even reaching the target
boxes.

> Is there any kind of consistency to the packets?
> Are they all TCP or is
> there UDP as well? Is it at a certain time? What
> kind of systems are you
> seeing the activity on? OS? versions? Apps
> involved (if identified)?

All good questions. Just goes to show we need more
folks out there who know how to do Incident Response.

Carv

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: A Few Questions related to Network Administration and Traffic Analysis
    ... > network administration. ... > open ports of all other machines which is fine. ... Lets say I want to administer packets at the router ...
    (Fedora)
  • Re: Babysitting on iptables requested :-)
    ... Here's the list of ports that I see probed then I take the "Probe my ... this was a friendly probe; all packets were TCP SYNs - ... SYN is a packet that is used to initiate a TCP connection. ... >> between Windows machines, so without this a Windows machine in your ...
    (comp.os.linux.security)
  • Re: Nachi Worm apparently causes "Live Lock" on 4.7 server
    ... >>that send a sudden blast of packets, ... > ports and pull the cables. ... >>If a machine was found to have an open RPC port (we run an open ... to force autoupdates on those client machines. ...
    (freebsd-questions)
  • Re: Political Analysis of Security Products
    ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
    (Pen-Test)
  • Re: Network traffic monitor app
    ... switch in the router to connect equipment together. ... So for traffic from a workstation to the internet it goes from the ... packets sent and the second the number of dud packets. ... one or more ports. ...
    (comp.sys.mac.misc)