Re: Port 1026
From: Stephen (twiggy_at_vorax.org)
Date: 07/21/04
- Next message: Dave Harman: "Sendmail can't send mail when Iptables is on"
- Previous message: Bob Smith: "grsecurity, systrace, or both?"
- Next in thread: Bit Twister: "Re: Port 1026"
- Reply: Bit Twister: "Re: Port 1026"
- Maybe reply: Bernhard Kastner: "Re: Port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Jul 2004 10:40:52 +0000 (UTC)
Felix Tilley wrote:
> Anyone know what this is. I have been getting this from 12.148.162.131
> for about a week now. I am using Linux Mandrake 8.1 with kernel 2.4.8
> with iptables.
>
>
> iplog2|grep UDP
> Jun 14 20:12:14 -0700 SRC=12.148.162.131 DST=63.184.1.105 PROTO=UDP SPT=9092 DPT=1026
Name:
cap
Purpose:
Calender Access Protocol
Description:
Microsoft operating systems tend to allocate one or more unsuspected,
publicly exposed services (probably DCOM, but who knows) among the first
handful of ports immediately above the end of the service port range
(1024+).
Related Ports:
1024, 1025, 1027, 1028, 1029, 1030
Background and Additional Information:
The most distressing aspect of this, is that these service ports are
wide open to the external Internet. If Microsoft wants to allow DCOM
services and clients operating within a single machine to inter-operate,
that's fine. But in that case the DCOM service ports should be "locally
bound" so that they are not wide open and flapping in the Internet
breeze. This is trivial to do, but Microsoft doesn't bother. Or, if
there might be some reason to have DCOM used within a local area
network, DCOM traffic could be generated with packets having their TTL
(time to live) set down to one or two. This would allow DCOM packets
complete local freedom, but they would expire immediately after crossing
one or two router hops. The point is, there are many things Microsoft
could easily do if they had any true concern for, or understanding of,
Internet security.
Who knows what known or unknown, discovered or yet to be discovered
vulnerabilities already exist those exposed servers and services? This
is PRECISELY the situation which hit end users who didn't realize they
were running a personal version of Microsoft's IIS web server when the
Code Red and Nimda worms hit them and installed backdoor Trojans in
their systems. And it's IDENTICAL to the situation when the SQL Slammer
worm ripped across the Internet and tens of thousands of innocent end
users discovered, to their total surprise, that some other software
(Here's an off-site link to SQL-installing applications.) had silently
installed Microsoft's insecure and now exploited SQL server into their
machines, and that server had silently opened their ports 1433 and 1434
to the entire Internet.
If you are reading this page because our port analysis has revealed that
you have open ports lying between 1024 and 1030, it would certainly be
in your best interests to configure your personal firewall to block
incoming connection requests (TCP SYN packets) to those low-numbered ports.
Unfortunately, since Windows initially initiates outgoing connections
from this same low-numbered port range (as the first ports it uses
immediately after booting), you may need to be careful with the
configuration of your firewall rules. Otherwise you may find that the
first several outbound connection attempts made by Windows will fail
because returning traffic has been blocked at your firewall. However,
any good stateful personal firewall, such as Zone Alarm and probably
others, ought to block these low-numbered ports automatically. And, of
course, placing any network behind a NAT router provides extremely good
hardware firewall protection for your system(s).
- Next message: Dave Harman: "Sendmail can't send mail when Iptables is on"
- Previous message: Bob Smith: "grsecurity, systrace, or both?"
- Next in thread: Bit Twister: "Re: Port 1026"
- Reply: Bit Twister: "Re: Port 1026"
- Maybe reply: Bernhard Kastner: "Re: Port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
