port 5168

From: Molony, Duncan (Duncan.Molony@SPR.DOE.GOV)
Date: 04/17/03

Next message: Nicolas Couture: "Re: Logging of connects to port 6346"

Previous message: LordInfidel: "RE: Logging of connects to port 6346"
Next in thread: Harlan Carvey: "re: port 5168"
Maybe reply: Harlan Carvey: "re: port 5168"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 17 Apr 2003 13:03:42 -0500
From: "Molony, Duncan" <Duncan.Molony@SPR.DOE.GOV>
To: <incidents@securityfocus.com>

In the past 2 hours I have captured over 18,000 packets attempting to initiate a connection on port 5168/TCP. All traffic is on my internal network. The machines orginating the traffic are Windows 2000 servers - one running SAP w/ Oracle and one running Citrix for development purposes only. In all but one case so far, the systems targeted have responded with a reset. The one that did respond opened a 'DCERPC' connection briefly and then closed the connection. From what I have found so far, DCERPC should only be listening on port 135. Source ports seem to be random. So far it looks to have hit every active address in the subnet I am sniffing.

Below is a sample of the SYN packet being sent out. Any assistance in identifying this traffic would be greatly appreciated.

04/17-09:56:12.106932 0:D0:D3:35:D3:EC -> 0:4:75:CB:87:CF type:0x800 len:0x3E
xxx.xxx.xxx.48:2720 -> xxx.xx.xxx.31:5168 TCP TTL:127 TOS:0x0 ID:21131 IpLen:20 DgmLe
n:48 DF
******S* Seq: 0xE6169382 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

Thanks in advance,

Duncan Molony

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------

Next message: Nicolas Couture: "Re: Logging of connects to port 6346"

Previous message: LordInfidel: "RE: Logging of connects to port 6346"
Next in thread: Harlan Carvey: "re: port 5168"
Maybe reply: Harlan Carvey: "re: port 5168"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: interoperability of VPN checkpoint FW1 to ISA
... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... Register today to ...
(Focus-Microsoft)
RE: interoperability of VPN checkpoint FW1 to ISA
... However, CheckPoint has one little ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Focus-Microsoft)
RE: interoperability of VPN checkpoint FW1 to ISA
... If you are not the intended recipient be aware that any ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Focus-Microsoft)
Re: Zenworks
... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Security-Basics)
RE: Log on the domain
... whether a given user account can be used from the "console" keyboard ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Security-Basics)