RE: Port 3889 Traffic

From: Steven Trewick (STrewick_at_joplings.co.uk)
Date: 05/11/04

  • Next message: Willem Tahon: "Re: wmon16.exe"
    To: 'Eric Ceradsky' <eric.ceradsky@sbcglobal.net>, incidents@securityfocus.com
    Date: Tue, 11 May 2004 15:32:08 +0100
    
    

    Best way to ID it is to set up a netcat listener (or simmilar [1]),
    and see what you get.

    Fortunately this is fairly trivial to do.

    Netcat is available for nix and doze boxen from :
    http://www.atstake.com/research/tools/network_utilities/

    You would use a command line something like :

    ' nc -l -p 3889 -o some_log_file.txt ', this will bind the netcat
    process to port 3889 and wait for an incoming connection, netcat
    will then produce a friendly hex/text output file containing any
    data that was sent over the link.

    If its some kind of fileshare, it will likely spew some kind of header
    info at you (al la Kaaza, eDonkey, etc), and if not, well, you will at
    least have something to analyse.

    This is how I ID'd a lot of the fileshareing related traffic that was
    turning up at the borders of my LAN.

    Obviously, you will need to allow the port through your firewall,
    (which you may be forgiveably uncomfortable with), and just as
    obviously, you will need to close that port again afterwards.

    It's not really possible to ID traffic (especially inbound TCP
    conexions which are being dropped) merely by port number, you
    need to see some sample traffic. (This may not help ID what the
    traffic *is*, initially, but will help you define what it *isn't*,
    which is usually at least as important.)

    HTH :-)

    [1] You could also use WormRadar I think, http://www.wormradar.com/id1.html,
    if you are running some version of windows.

    > -----Original Message-----
    > From: Eric Ceradsky [mailto:eric.ceradsky@sbcglobal.net]
    > Sent: 08 May 2004 00:02
    > To: incidents@securityfocus.com
    > Subject: Port 3889 Traffic
    >
    >
    > I've been seeing a lot of port 3889 traffic externally
    > lately but haven't been able to dig up any known
    > issues with that port.. Used to be one address and
    > overnight tis quickly spawned to several. Brazil, US,
    > UK, etc. Anyone have any ideas?
    >
    > May 7 17:43:48 DROP <INPUT:DE 195.132.138.140 ->
    > X.X.X.X 4055:3889/tcp S ppp0
    > May 7 17:43:54 DROP <INPUT:DE 195.132.138.140 ->
    > X.X.X.X 4055:3889/tcp S ppp0
    > May 7 17:45:31 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2402:3889/tcp S ppp0
    > May 7 17:45:34 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2402:3889/tcp S ppp0
    > May 7 17:45:40 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2402:3889/tcp S ppp0
    > May 7 17:45:52 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2402:3889/tcp S ppp0
    > May 7 17:46:09 DROP <INPUT:DE 12.5.121.129 ->
    > X.X.X.X 3915:3889/tcp S ppp0
    > May 7 17:46:10 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2423:3889/tcp S ppp0
    > May 7 17:46:12 DROP <INPUT:DE 12.5.121.129 ->
    > X.X.X.X 3915:3889/tcp S ppp0
    > May 7 17:46:13 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2423:3889/tcp S ppp0
    > May 7 17:46:18 DROP <INPUT:DE 12.5.121.129 ->
    > X.X.X.X 3915:3889/tcp S ppp0
    > May 7 17:46:19 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2423:3889/tcp S ppp0
    > May 7 17:46:31 DROP <INPUT:DE 66.42.241.168 ->
    > X.X.X.X 2423:3889/tcp S ppp0
    > May 7 17:47:01 DROP <INPUT:DE 195.132.138.140 ->
    > X.X.X.X 4363:3889/tcp S ppp0
    > May 7 17:47:04 DROP <INPUT:DE 195.132.138.140 ->
    > X.X.X.X 4363:3889/tcp S ppp0
    > May 7 17:47:10 DROP <INPUT:DE 195.132.138.140 ->
    > X.X.X.X 4363:3889/tcp S ppp0
    >
    > Thanks
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >
    > ---
    > Incoming mail checked for known viruses
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.680 / Virus Database: 442 - Release Date: 09/05/04
    >
    >

    </code>
    The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.
    joplings.co.uk

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Willem Tahon: "Re: wmon16.exe"

    Relevant Pages

    • Re: Print Server Port Numbers?
      ... Why do you assume there even IS any raw tcp feature? ... port names to use as lpd/lpr queue names. ... The first provides a convenient way to use netcat and rlpr, ... interface script, not just one you hand-edit to insert netcat functionality, ...
      (comp.unix.sco.misc)
    • Re: Hawking HPS1P Printserver/netcat
      ... > can't find the port they use to print. ... A lot of cheap print servers simply can't be used with netcat any more. ... a print server may support that even if it doesn't make a big ... The next easiest protocol to use from unix is lpd, ...
      (comp.unix.sco.misc)
    • Re: OFF-TOPIC: HTML to send data out a certain port
      ... server's TCP socket on Port 4998. ... I like the 'connect' command for this type of thing. ... For netcat you will need to choose between either the ... listening on port 4998. ...
      (Debian-User)
    • Re: nc help needed.
      ... I know that Netbios is using port 139. ... assigning proirity to the netcat session we are trying to establish. ... An example is the NETBIOS Session Service ...
      (Security-Basics)
    • Fwd: nc help needed.
      ... I know that Netbios is using port 139. ... assigning proirity to the netcat session we are trying to establish. ... An example is the NETBIOS Session Service ...
      (Security-Basics)