Odd traffic on port 7002 need help figuring it out.

From: steveg (steveg@stevegcentral.com)
Date: 06/13/02


Date: Wed, 12 Jun 2002 22:18:35 -0700 (PDT)
From: steveg <steveg@stevegcentral.com>
To: Incidents Mailing List <INCIDENTS@securityfocus.com>


Hey everyone,

I just discovered some odd traffic from one of my boxes. I haven't been
able to determine yet if it comes from the Linux firewall or a box behind
it. but one of my win2k box did try to connect to the same server on 137
(NBT) port..
the connection is very short, 14 packets then it quits... but seems to
do it once in a while although it hasn't done anything in the past hour or
so.
Here is the only packet that made any sens to me at all, it's the first
packet the server is sending back. I did notice the treachery
unlimited (security style web site with a nice port search), but in this
case it connects to port 7002 and I am unable to figure out what it is ..
the port list claims it's a afs3-prserver port but I fail to see why my
box would try to connect there ....

Here's the packet in question...
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 45 00 00 30 62 F7 40 00 71 06 50 4D 3F FB 8F D5 E..0b@.q.PM?
00000010 0C E6 79 CD 1B 5A F7 C1 B8 32 83 48 49 CE B1 36 .y.Z2HI6
00000020 70 12 44 70 9E 7F 00 00 02 04 05 B4 01 01 04 02 p.D.........
00000030 20 32 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 54 200 OK..Date: T
00000040 68 75 2C 20 31 33 20 4A 75 6E 20 32 30 30 32 20 hu, 13 Jun 2002
00000050 30 33 3A 32 39 3A 31 39 20 47 4D 54 0D 0A 53 65 03:29:19 GMT..Se
00000060 72 76 65 72 3A 20 54 72 65 61 63 68 65 72 79 5F rver: Treachery_
00000070 55 6E 6C 69 6D 69 74 65 64 2F 39 2E 31 31 2E 32 Unlimited/9.11.2
00000080 30 30 00

all the packets are printed at the end of the email, if anyone knows what
the hell this is I would truly appreciate the help... starting to
wonder what's going on.

I am keeping a dump running and see if I can see the traffic again.

again any help welcome !

Here is the whole thing:

20:33:07.209934 > myfirewallbox.63425 > 63.251.143.213.7002: S 1238282549:1238282549(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
                         4500 0030 678f 4000 7f06 3db5 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b135 0000 0000
                         7002 4000 de7b 0000 0204 05b4 0101 0402
20:33:07.286530 < 63.251.143.213.7002 > myfirewallbox.63425: S 3090318152:3090318152(0) ack 1238282550 win 17520 <mss 1460,nop,nop,sackOK> (DF)
                         4500 0030 62f7 4000 7106 504d 3ffb 8fd5
                         0ce6 79cd 1b5a f7c1 b832 8348 49ce b136
                         7012 4470 9e7f 0000 0204 05b4 0101 0402
                         2032 3030 204f 4b0d 0a44 6174 653a 2054
                         6875 2c20 3133 204a 756e 2032 3030 3220
                         3033 3a32 393a 3139 2047 4d54 0d0a 5365
                         7276 6572 3a20 5472 6561 6368 6572 795f
                         556e 6c69 6d69 7465 642f 392e 3131 2e32
                         3030
20:33:07.286825 > myfirewallbox.63425 > 63.251.143.213.7002: . 1:1(0) ack 1 win 17520 (DF)
                         4500 0028 6790 4000 7f06 3dbc 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b136 b832 8349
                         5010 4470 cb43 0000
20:33:07.286946 > myfirewallbox.63425 > 63.251.143.213.7002: P 1:13(12) ack 1 win 17520 (DF)
                         4500 0034 6791 4000 7f06 3daf 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b136 b832 8349
                         5018 4470 f42e 0000 0c00 0000 ca00 0000
                         0100 0000
20:33:07.435282 < 63.251.143.213.7002 > myfirewallbox.63425: P 1:133(132) ack 13 win 17508 (DF)
                         4500 00ac 6494 4000 7106 4e34 3ffb 8fd5
                         0ce6 79cd 1b5a f7c1 b832 8349 49ce b142
                         5018 4464 1295 0000 8400 0000 ca00 0000
                         0200 0000 0000 7400 0100 4937 3b37 0983
                         3e37 0100 0100 2a00 3028 0209 00ec 8ddf
                         dc33 f307 1702 0522 95c7 e10f 0209 008d
                         46a1 0865 ca73 e602 0900 bc9d a1b5 710e
                         e301 0282 83d7 c433 e3c6 1609 fe69 7444
                         51b8
20:33:07.482522 > myfirewallbox.63425 > 63.251.143.213.7002: P 13:130(117) ack 133 win 17388 (DF)
                         4500 009d 6792 4000 7f06 3d45 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b142 b832 83cd
                         5018 43ec e15d 0000 7500 0000 ca00 0000
                         2800 0000 0100 0164 0006 0000 00cb df52
                         a7eb 3e1f 89e2 dced be1b caaa eea5 c438
                         2f38 6ca8 87c2 04f8 ee85 1def 0c58 efe9
                         92d4 f8dc 1c34 6832 0969 b74f c067 1178
                         58f1 fe69 966b 2131 6a82 da08 4ca7 2432
                         7072
20:33:07.563663 < 63.251.143.213.7002 > myfirewallbox.63425: P 133:171(38) ack 130 win 17391 (DF)
                         4500 004e 6573 4000 7106 4db3 3ffb 8fd5
                         0ce6 79cd 1b5a f7c1 b832 83cd 49ce b1b7
                         5018 43ef 4f1e 0000 2600 0000 ca00 0000
                         2900 0000 1800 5e7b 1f0f d07c 1ddf 97a6
                         f560 5c38 8933 65eb 04dc 087f f8d1 2b33
                         f8a9 e165 958e a0c5 2835 5545 47fc 2853
                         f9d1 c1d8 9b33 6337 ccca 48a9 7786 1f09
                         b924 cbd6 759e cba3 acdb 382c 951d 464b
                         2326
20:33:07.666310 > myfirewallbox.63425 > 63.251.143.213.7002: . 130:130(0) ack 171 win 17350 (DF)
                         4500 0028 6793 4000 7f06 3db9 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b1b7 b832 83f3
                         5010 43c6 cac2 0000
20:33:07.680971 > myfirewallbox.63425 > 63.251.143.213.7002: P 130:184(54) ack 171 win 17350 (DF)
                         4500 005e 6794 4000 7f06 3d82 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b1b7 b832 83f3
                         5018 43c6 9a3b 0000 3600 0000 ca00 0000
                         2a00 0000 2800 b644 0f71 153b e866 174c
                         a831 7d96 e65d 5259 7289 95c6 9e5b afec
                         4247 a489 6f14 4c2e 8c6b 58f0 c71c
20:33:07.760764 < 63.251.143.213.7002 > myfirewallbox.63425: P 171:366(195) ack 184 win 17337 (DF)
                         4500 00eb 67e0 4000 7106 4aa9 3ffb 8fd5
                         0ce6 79cd 1b5a f7c1 b832 83f3 49ce b1ed
                         5018 43b9 4269 0000 c300 0000 ca00 0000
                         2c00 0000 0000 0200 015d 0001 0073 1208
                         3d23 1708 3d7f 6808 0004 0000 0001 003d
                         0030 3b02 0f00 910f b3ed 86b3 eaac 4580
                         1706 492d 0207 2a26 8977 e6c3 3f02 0e38
                         8c64 413f 9a85 7f49 bb6b 8c06 3a02 0f00
                         80df
20:33:07.761321 < 63.251.143.213.7002 > myfirewallbox.63425: F 366:366(0) ack 184 win 17337 (DF)
                         4500 0028 67e1 4000 7106 4b6b 3ffb 8fd5
                         0ce6 79cd 1b5a f7c1 b832 84b6 49ce b1ed
                         5011 43b9 c9d5 0000 0000 0000 0000 21dc
                         f6ad e2ee 5bf7 b0b9 1e3f 8827 b2ba 68de
                         c6f0 3378 611d 5a16 4999 022b b33e 556c
                         eec9 836d 6027 c3f7 1aed 5db7 f1fb aeba
                         30f5 ab6f 8a04 dadb a323 d57b 6f11 8eda
                         bb8f 374f 498b 4a8a 28aa b756 dbc7 64ab
                         6968
20:33:07.761470 > myfirewallbox.63425 > 63.251.143.213.7002: F 184:184(0) ack 366 win 17155 (DF)
                         4500 0028 6795 4000 7f06 3db7 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b1ed b832 84b6
                         5011 4303 ca8b 0000
20:33:07.761547 > myfirewallbox.com.63425 > 63.251.143.213.7002: . 185:185(0) ack 367 win 17155 (DF)
                         4500 0028 6796 4000 7f06 3db6 0ce6 79cd
                         3ffb 8fd5 f7c1 1b5a 49ce b1ee b832 84b7
                         5010 4303 ca8a 0000
20:33:07.840931 < 63.251.143.213.7002 > myfirewallbox.63425: . 367:367(0) ack 185 win 17337 (DF)
                         4500 0028 68da 4000 7106 4a72 3ffb 8fd5
                         0ce6 79cd 1b5a f7c1 b832 84b7 49ce b1ee
                         5010 43b9 c9d4 0000 0000 0000 0000 541a
                         e79a 1b4b 63a9 6ad2 c977 676e ed2a 8bf9
                         d806 6e7c 5e53 df8c f6b0 ebdb 2fcd 3402
                         0699 bc80 f405 8fd8 158e 3b47 4edd 295f
                         f7dd b3b6 fc6a f151 52c5 554b 8fa6 66bf
                         dbd2 454b 2840 d6f4 99e6 6264 9580 01e5
                         766f

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • PATCH: Remove file riowinif.h from rio driver (unused file)
    ... -/* The RUP (Remote Unit Port) structure relates to the Remote Terminal Adapters ... - CONFIG is sent from the driver to configure an already opened port. ... - Packet structure is same as OPEN. ... - of the specified port's RTA address space. ...
    (Linux-Kernel)
  • Re: General questions about Sockets
    ... > could I push it before I see the network slowing down and/or errors? ... Nagle/Delayed ACK interaction but you could confirm it with a packet ... > I can setup any port in my registry, but what would be the 'default' one I ... Google could confirm it. ...
    (microsoft.public.win32.programmer.networks)
  • Re: File Transfer and WinSock
    ... I have message types defined and a packet protocol that I use which may be ... You need to bind the winsock control to some port. ... this.Parent.SendConfirmation(lcMessageID, lnPacketNumber) ... SEEK lcMessageID + STR ...
    (microsoft.public.fox.programmer.exchange)
  • Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Executio
    ... maybe abit more about packet infos.. ... more when the author comes out with it wich is, possibly never, but, i ... wich the port opens, but this is undisclosed. ... I have looked at this and, you dont need to be udp... ...
    (Full-Disclosure)
  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    (Pen-Test)