Re: Outgoing connection to port 6000 from port 25...

From: Anarchy (anarchysystems@dingoblue.net.au)
Date: 12/09/01 

From: "Anarchy" <anarchysystems@dingoblue.net.au>
To: <security-basics@securityfocus.com>
Date: Mon, 10 Dec 2001 06:26:33 +0800

Hey,

Although the source ports are GENERALLY selected by random it is possible to
specify the source port. You should look for who is spawing the process
creating this connection....has it only happened once or is it happening
more than once? If it has happened more than once you should try logging all
process commands for a small duration. It is pretty high on resources and
you will loose a significant amount of space though it is very worth while.
From memory lastcomm is a good choice?

Iain McAleer

----- Original Message -----

From: "AFE" <afe_bugtraq@yahoo.com>
To: "Jim Meier" <fatjim@home.com>; "Matthew Cline" <matt@nightrealms.com>
Cc: <security-basics@lists.securityfocus.com>
Sent: Friday, December 07, 2001 9:05 AM
Subject: Re: Outgoing connection to port 6000 from port 25...

> Hi
> User level client applications (i think) are not allowed to use ports
lower
> than 1024.
> So you may have some reason to think so...
>
> Regards
>
> ----- Original Message -----
> From: "Jim Meier" <fatjim@home.com>
> To: "Matthew Cline" <matt@nightrealms.com>
> Cc: <security-basics@lists.securityfocus.com>
> Sent: 06 December 2001, Thursday 10:38
> Subject: Re: Outgoing connection to port 6000 from port 25...
>
>
> > On Tue, 2001-12-04 at 04:45, Matthew Cline wrote:
> > > I have my firewall setup to stop and log attempts to connect to
external
> X
> > > servers, and this caught three attempts (all in the same second) to
> connect
> > > to destination port 6000, from a source port of 25 (SMTP). I don't
> think
> > > that my qmail server would attempt to make such a connection. Have I
> been
> > > rooted?
> > >
> >
> > Source ports do not map the destination ports - they are selected at
> > random from any available. There is no reason think you've been hacked,
> > on this evidence.
> >
> > Do your logs show the originating ip?
> >
> > -Jim
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>

Relevant Pages

  • Re: Whats the point of not allowing all outgoing traffic by default?
    ... some idea of how source ports are used. ... The normal mode is that the next UNUSED port above 1024 ... These are used by quite a number of mail server to reduce the amount ... and application filtering ONLY works on the originating ...
    (comp.security.firewalls)
  • RE: [fw-wiz] NAPT - NAT Port selection
    ... If the destination IP address is different, a port forwarder on the receiving ... The limit of 64K is for source ports per sourceaddress:destination IP:port ... NAPT devices allow access to internet by internal machines having ...
    (Firewall-Wizards)
  • Re: NMAP Concurrent Scans
    ... closing a connection on target machine will it not ... Assuming nmap is using random source ports, ... 4-tuple (source ip, dest ip, source port, dest port) will be identical. ... this 4-tuple is what uniquely indentifies a connection. ...
    (Pen-Test)
  • Re: Sudden torrent of ZoneAlarm alerts re: UDP port 137 - Any ideas?
    ... > same thing in my logs also.I'm seeing a range of source ports from 1024 ... here is a link to some info on the rise of Port 137 scans. ... >> unique IPs from domains all over the globe. ...
    (comp.security.firewalls)
  • Re: Sudden torrent of ZoneAlarm alerts re: UDP port 137 - Any ideas?
    ... same thing in my logs also.I'm seeing a range of source ports from 1024 ... here is a link to some info on the rise of Port 137 scans. ... > unique IPs from domains all over the globe. ...
    (comp.security.firewalls)
Quantcast