Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

From: alfaentomega (alfaentomega@yahoo.com)
Date: 12/27/02

Next message: Rob Shein: "RE: strange traffic"

Previous message: Fyodor: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
In reply to: Pavel Kankovsky: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
Next in thread: Fyodor: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Dec 2002 00:52:26 -0800 (PST)
From: alfaentomega <alfaentomega@yahoo.com>
To: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>

--- Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> wrote:
> On Mon, 23 Dec 2002, alfaentomega wrote:
>
> Hypothesis: one of the services listening on your machine opens a
> short-lived listening sockets on an automatically assigned port (ie.
> in 1024-5000 range) when it accepts a connection. This would explain
> why SYN scan does not trigger it but connect() scan does.
>
> Try this:
> for each port p in 1-1023
> perform a connect() scan of p and 1024-5000
>
> Only a small set of p, perhaps a single value of p--the hypothetic
> offending service (see above)--should make the mysterious listening
> port appear.

Actually, when I figured out that those ports are always above 1024 and
below 5000, as I've said in my post, I started scanning only this
range, and every time the results were similar. And the only service
listening on my host is nullidentd.

But now I know what I was observing, see Fyodor's answer:
<20021224191816.GA10153@core.lnxnet.net>

Thanks.
-Alfaentomega.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Shein: "RE: strange traffic"
Previous message: Fyodor: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
In reply to: Pavel Kankovsky: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
Next in thread: Fyodor: "Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Best Plan of action for 2 forest.......
... PortQry reports the status of a port in one of the following ways: ... ..LISTENING This response indicates that a process is listening on the target ...
(microsoft.public.windows.server.active_directory)
Re: RealVNC
... If we are talking about RealVNC it goes this way ... Then there is default Java listening port on port 5800 on the client machine ...
(microsoft.public.windows.server.sbs)
Re: Cant join a domain
... Attempting to resolve name to IP address... ... TCP port 42: NOT LISTENING ...
(microsoft.public.windows.server.active_directory)
Re: Cant join a domain
... Attempting to resolve name to IP address... ... TCP port 42: NOT LISTENING ...
(microsoft.public.windows.server.active_directory)
Re: Cant connect to port 25 from another system
... The default sendmail config in RH/Fedora has been to only listen on the ... I previously edited the sendmail.mc file to be sure it is listening on ... Both netstat and nmap confirm that the system *is* listening on port ... When I attempt to telnet to port 25 the connection fails. ...
(Fedora)