Port "0" scanning

From: Fred_McGriff (fmcgriff_at_nospam.com)
Date: 09/12/03


Date: Fri, 12 Sep 2003 15:28:50 GMT


 We are noticing a massive increase in connections from Port "8" on external
machines to Port "0" on our machine. We are getting roughly 4,000 per day.
 My logs suggest most of the increase is from computers on our DSL subnet. A
sample entry is:

<SAMPLE>
Sep 9 01:02:50 hurl kernel: Packet log: input ACCEPT eth0 PROTO=1
xxx.xxx.xxx.xxx:8 xxx.xxx.xxx.xxx:0 L=92 S=0x00 I=59720 F=0x0000 T=125 (#5)
<END SAMPLE>

 I have tried scanning my ports externally and get reports that the port is
not available. My computer is running SUSE Linux 7.2 with the firwall turned
running. Interestingly, our WinXP boxes do not show the same kind of
activity in their logs.

 I really have two questions.

 Is there a way to stop ACCEPTing these connections?

 Activity increased after the latest email virus hit. Is it possible this
kind of activity is part of a denial of service attack which is not intended
to cripple specific machines, but to cripple the internet in general? We are
experiencing an overall sluggishness in internet responsiveness in recent
days.



Relevant Pages

  • Strange connections to ports 1214, 6346 and 28800
    ... When I did an Ipconfig on the machine connected to the cable modem it ... What I saw where lots and lots of connections to OTHER machines from ... other machines to TCP port 1214, TCP port 6346 and UDP port 28800. ...
    (Incidents)
  • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
    ... connections across the US so I can see 1 hop from Orlando to ... IMO the ONLY machines that should be do so would be machines ... that MUST be connected - eg mail servers and web servers. ... Switching the SSH port to, say, 1022 and making sure there are ...
    (comp.unix.sco.misc)
  • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
    ... connections across the US so I can see 1 hop from Orlando to ... I neglected to indicate that the machine is behind a firewall and port ... that MUST be connected - eg mail servers and web servers. ... NIC would go to your business machines on a totally private network ...
    (comp.unix.sco.misc)
  • Re: TCP 3389 and Remote Desktop
    ... conflict using a Linksys wireless router for a peer to peer network ... provided instructions for changing the remote port using RegEdit, ... firewall you utilize on said computer *and* have Remote Desktop turned on ... One method of accessing several machines behind a single router is to change ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)