Application Scanning 1033/tcp?

From: Crist J. Clark (crist.clark@attbi.com)
Date: 05/31/02


Date: Fri, 31 May 2002 14:46:05 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: incidents@securityfocus.com

We've been regularly scanned on port 1033/tcp by a wide variety of IP
addresses For example, here are abreviated scans from today between
13:00 and 14:00 PDT,

  13:00:08.081482 24-109-22-40.ivideon.com.4092 > my.firewall.com.1033: S 4162272443:4162272443(0) win 64240 (DF)
  13:00:31.773412 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S 4170831855:4170831855(0) win 64240 (DF)
  13:00:34.822231 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S 4170831855:4170831855(0) win 64240 (DF)
  13:00:36.899623 24-109-22-40.ivideon.com.4102 > my.firewall.com.1033: S 4172312999:4172312999(0) win 64240 (DF)
  .
  .
  .
  13:59:41.964667 24-109-22-40.ivideon.com.4745 > my.firewall.com.1033: S 816514957:816514957(0) win 64240 (DF)
  13:59:53.056863 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240 (DF)
  13:59:56.023444 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240 (DF)
  14:00:02.049422 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240 (DF)

  13:21:54.705383 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF)
  13:21:57.607638 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF)
  13:22:03.609713 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF)
  13:22:15.610063 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192 (DF)
  .
  .
  .
  13:47:47.681693 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF)
  13:47:50.602002 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF)
  13:47:56.600538 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF)
  13:48:08.599116 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192 (DF)

  13:51:55.458288 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240 (DF)
  13:51:58.402493 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240 (DF)
  13:52:04.290740 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240 (DF)
  13:52:25.392798 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4956 > my.firewall.com.1033: S 2645190207:2645190207(0) win 64240 (DF)
  .
  .
  .
  13:54:06.067548 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4975 > my.firewall.com.1033: S 2669006106:2669006106(0) win 64240 (DF)
  13:54:06.073626 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4974 > my.firewall.com.1033: S 2668952197:2668952197(0) win 64240 (DF)
  13:54:06.078158 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4973 > my.firewall.com.1033: S 2668896132:2668896132(0) win 64240 (DF)
  13:54:06.269224 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4976 > my.firewall.com.1033: S 2669108864:2669108864(0) win 64240 (DF)

  13:26:52.440778 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF)
  13:26:55.352418 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF)
  13:27:01.348100 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF)
  13:27:13.346008 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192 (DF)

Comapring these two the outgoing traffic, I can correlate most of
these to outgoing connection attempts to these machine from out
network. That is, someone inside our network connects out to these
machines which then try to connect back in on 1033. However, the
outgoing connections are to a whole bunch of different TCP port
numbers and never to 1033/tcp.

I am having trouble figuring out what exactly they are looking for at
1033/tcp. My first concern was this was some kind of trojan or malware
phoning home and the remote controllers were trying to call back on
1033, but I've found no known trojans that listen on 1033. My other
suspicion is one of the zillion peer-to-peer file sharing protocols,
but again, no luck in finding one that uses 1033.

Anyone know what uses 1033/tcp? I've looked at all of the usual web
resources (please don't give out URLs of port lists unless you've
checked that the list does include 1033) and haven't found it.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Incoming passengers to the UK
    ... of the northeastern European ports, or even from Hamburg or Bremen. ... it was more of a freight port & rarely took migrants to the west. ... passenger lists) has now also been done & is available through Ancestry.com. ... The only information these documents have that the US manifests often ...
    (soc.genealogy.jewish)
  • Re: Port 25 and Static/Dynamic IP for Listserve SW
    ... etc. and these ISPs are in effect listening in? ... all that port 25 and dynamic/static ip stuff is moot. ... Either I use Majordomo or Mailman "as is" and I use them for PRIVATE lists, ... Port 25 and Static/Dynamic IP for Listserve SW ...
    (Ubuntu)
  • RE: validation list
    ... point I am guessing that there is no automatic way to get rid of duplication ... of ports, and a list of docks for each port. ... vertical lists you name as the specific port it refers to. ...
    (microsoft.public.excel.misc)
  • RE: validation list
    ... The easiest would be to just overwrite the Excel database, ... of ports, and a list of docks for each port. ... vertical lists you name as the specific port it refers to. ...
    (microsoft.public.excel.misc)
  • Re: Port Chart
    ... There are port ... lists of legitimate registered applications, and there are port lists of ... a big help in identifying a new worm or trojan. ... Again, google helps you ...
    (microsoft.public.win2000.security)