RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
From: H C (keydet89@yahoo.com)
Date: 12/27/02
- Previous message: James C. Slora Jr.: "Re: NIMDA - ceased ? -"
- In reply to: Charles.Fasching@milestonesystems.com: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Next in thread: Hornat, Charles: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Dec 2002 11:35:16 -0800 (PST) From: H C <keydet89@yahoo.com> To: Charles.Fasching@milestonesystems.com, alfaentomega@yahoo.com, incidents@securityfocus.com
Charles,
Not only did he say that he ran lsof on the system (no
MS os's come w/ lsof, nor is there a version of lsof
available, unless you rename fport.exe to 'lsof').
Also, given the switches used w/ the netstat command,
those aren't all available on MS systems.
Finally, later on in the (admittedly long winded)
post, the OP said that he'd installed Debian..."Now I
have an up-to-date Debian 3.0 Woody stable release..."
Hope this helps answer your question...
--- Charles.Fasching@milestonesystems.com wrote:
> What OS are you scanning? Is it running RPC
> services or DCE services
> (Microsoft's RPC - such as an exchange server)?
> That can lead to the
> type of behavior that you are seeing.
>
> Chuck ?Spence? Fasching
> Systems Engineer
> Milestone Systems, Inc.
> charles.fasching@milestonesystems.com
> 952.543.6999 xt 111
>
>
> -----Original Message-----
> From: alfaentomega [mailto:alfaentomega@yahoo.com]
> Sent: Monday, December 23, 2002 11:34 PM
> To: incidents
> Subject: Random unprivileged TCP ports below 5000
> kind-of open for a
> fraction of a second
>
> Hello All, it's my first post here.
>
> I have a strange problem, which I've never seen
> before, and never even read about. I hope someone
> will be able to help me, because my every try to
> find
> it out by myself failed.
>
> I scanned localhost TCP ports with nmap and I saw
> that
> there's a service listening which I should not have.
> When I did it once again, it was gone. I did few
> other
> scans, and there was nothing more than it should be,
> but I was already very suspicious.
>
> I found out that by default nmap doesn't scan every
> port (before that I thought every port is scanned
> without explicite -p), so I ran "nmap -p1-
> localhost"
> and every time I saw something betwen 0 and 3
> (usually
> there were 2) ports which were reported by nmap as
> open, but during the scan there was "Strange read
> error from 127.0.0.1 (104): Operation now in
> progress"
> for every one of them.
>
> I wanted to check out what is opening those ports,
> but
> "netstat -tulp" or "lsof -i -n" never shows them (I
> ran netstat and lsof with different options in long
> loops many times, to make sure to see those ports,
> even if they are open only for a fraction of a
> second,
> but I never saw anything).
>
> First I thought that it could be some strange nmap
> bug, so I tried other scanning methods, like netcat
> scan: "nc -vzw2 localhost 1-65535"
>
> Netcat shows normally open ports as "localhost
> [127.0.0.1] 113 (auth) open" but these strange ports
> are reported as, e.g. "localhost [127.0.0.1] 4546
> (?)
> : Connection reset by peer"
>
> First I thought that they may be some ports, which
> are
> kind-of open, but they never finish TCP handshake,
> but
> they are detected only with basic nmap scan -sT, a
> TCP
> connect() scan, and never by any other kind of scan,
> like -sS SYN half-open scan (if they never finish
> the
> handshake, then it would make more sense if -sS
> detects them, while -sT thinks they're closed, not
> the
> other way around - but I may be wrong here).
>
> Here are other of my observations:
> I ran nmap in a loop scanning TCP ports 1-10000
> every
> time (first it scanned 1-65535 but higher ports were
> never open), and for 1000 ports found, there was 875
> unique ones, with lowest 1036 and highest 4989, so
> they look quite randomly distributed in this range.
>
> It doesn't matter if I scan 128.0.0.1 or my
> temporary
> dialup IP, also other people scanning me remotely
> from
> the Internet are finding those strange
> not-quite-open
> ports.
>
> So, this is pretty much everything I know.
>
> I was searching the Web and trying to get some help
> on
> IRC, but unfortunately no one knew what I was
> talking
> about. All I've found was Max Gribov's problem,
> posted
> here on Mar 26 2001, which seems to be the same as
> what I have here:
>
http://lists.insecure.org/lists/incidents/2001/Mar/0256.html
>
> There was one answer telling "You are seeing your
> own
> port scan and a clear demonstration why nmap to a
> localhost is not the best thing to do" which is not
> correct, because those ports are visible also on
> remote scans (and besides nmap looks for open
> listening ports and scanning doesn't open any ports
> for listening to incoming handshakes).
>
> Other answer was "I have seen times where certain
> linux boxes running X windows will do that but
> nothing
> that frequent" but with no more info. Should I not
> worry, because my box seems to be just a certain
> Linux
> box running X, or maybe those certain Linux boxes
> had
> some problems other than just running X on Linux?
>
> So, there actually was no meaningful answer to this
> question. If anyone knows where to look for the
> answer, please point me to any relevant text I
> should
> read.
>
> Of course I'll be glad if anyone posts some quick
> method to fix it, however I'd rather RTFM and know
> what's going on, because I'm getting a little bit
> paranoid when I don't.
>
> Was my system compromised? Is there some stealth
> backdoor listening on those random ports, which
> would
> open a normal TCP connection if only the source port
> and IP match the right values?
>
> Something like "nc -lp 3333 127.0.0.1 3334" which
> would drop the connection from anywhere alse than
> 127.0.0.1:3334, but done in more fancy way, with a
> direct control over TCP/IP stack and the actual
> handshake? But if so, then why doesn't it look as a
> normal closed port? And why half-open SYN scan shows
> it as closed, unlike the full open TCP scan?
>
> Such a netcat listening as above, is normally
> detected
> as open port by half-open SYN, stealth FIN, Xmas
> Tree,
> and Null scans, while being detected as open and
> being
> closed by TCP connect() scan. Here what I observed
> is
> totally different, I only suspect that those port
> could be possible to open from some attackers
> IP:port,
> but maybe I'm being too paranoid.
>
> Half a year ago ago, my outdated Debian Potato box
> was
> compromised. Since then, I've read quite a few books
> and even more online texts about the systems and
> network security, and started to be extremely
> paranoid.
>
> Now I have an up-to-date Debian 3.0 Woody stable
> release, with every security update and with no
> unneeded services listening. Almost every software
> is
> installed from official Debian Woody packages, the
> only thing I got in /usr/local is mplayer.
>
> A remote login is impossible (it's my personal
> desktop
> box with ppp dialup network connection, to which no
> one has any access but me) and still I have long and
> random passwords which crack and john are unable to
> crack in weeks, having access to /etc/shadow. What
> else can I do? I almost can hear Bruce Schneier
> saying
> "Nothing, you're screwed." But really, is having
> updated Debian stable as a desktop system not being
> paranoid enough? I'm starting to loose any hope.
>
> I really hope that someone will answer something
> like
> "oh, this is only a bug in your kernel/library/etc."
> but I have a bad feeling. Sorry for writing such a
> long post, but I wanted to write everything I found
> out myself about the problem, so you wouldn't have
> to
> waste your time asking about things which I should
> write in the first place and without which you're
> unable to answer my questions.
>
> Thanks a lot.
>
> By the way, it's a really great list, I often find
> many things I need in the archives of this one and
> other SecurityFocus mailing lists. Thanks.
>
> Marry Xmas and Happy new Year!
>
> -Alfaentomega.
>
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> http://mailplus.yahoo.com
>
>
------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Kevin Reardon: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Previous message: James C. Slora Jr.: "Re: NIMDA - ceased ? -"
- In reply to: Charles.Fasching@milestonesystems.com: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Next in thread: Hornat, Charles: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
