[Snort-users] Odd source port

Phil Wood cpw at ...440...
Thu Apr 26 23:04:32 EDT 2001


Hi again,

I didn't say it out right, but when I see a high source port on the first
packet of a tcp 3way handshake to one of the classic service ports that
is attacked by ramen, 1i0n, and such scripts, I think either, this guy is
scanning and happened to hit my address space after having possibly scanned
other networks or, he's using a host that's been up a long long time and
the high source port's number just came up naturally in the course of things.
If I wasn't running an ftp server (in this case), then I'd be pretty sure
that I was seeing a scan for wu-ftpd vulnerability number x.

All ports look suspicious to me.  Especially when I'm running a true
client with no services to offer and every one in the world is hitting
me up for port 21, 25, 53, 80, 109, 110, 111, 515, ...

Good Luck,

Phil

On Fri, Apr 27, 2001 at 10:30:04AM +1000, Kendall Lister wrote:
> On Thu, 26 Apr 2001, Phil Wood wrote:
> 
> > > input ACCEPT eth1 PROTO=6 63.230.69.10:13117 xxx.xxx.xxx.xxx:21 L=60
> > > S=0x00 I=48855 F=0x4000 T=36 SYN (#39)
> > > 
> > > 13117 is suspiciously similar to 31337 - I'm curious to know if this is
> > > part of a known modus operandi?
> > 
> > Let's assume that there are no bad guys (just for a sec).  The above
> > packet is the first of a TCP three-way "call establishment" handshake
> > attempting to establish a connection to an FTP server on
> > xxx.xxx.xxx.xxx.  The source port is picked by the client os, so that
> > combined with the source and destination IP addresses, and destination
> > port it is UNIQUE for that client. A common way to assign a client
> > source port is to bump a port number, see if it is not in use, and
> > then make the connection to the server.
> > 
> > Example from my system:
> 
> Hi Phil,
> 
> Thanks a lot for your detailed response - I knew most of it already, but
> it always helps to be reassured. I understand the possibility that port
> 13117 could be a fluke, and also that an incomer could arbitrarily choose
> it. What I'm wondering is if anyone else has seen it with enough
> regularity to suggest a particular (exploit) client - I have searched and
> not found any references to it. If anyone has seen it in your logs, feel
> free to contact me off the list to discuss it further, and then we can
> report back if anything comes of it...
> 
> Kendall
> krl at ...1907...
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list