Firewall Wizards mailing list archives

RE: Port 788 (Was: hitting the "on" switch)

From: "Giesinger, Nick HE0" <ngiesing () health gov sk ca>
Date: Fri, 19 Sep 1997 09:21:07 -0600

It appears that the 788 is a mask, the source is originating a poke at
starting a custom port.  We have a firewall that proxies to web and uses
a port over the 1000 to track which proxy goes where.  The site that our
proxies are going to would see packets coming from our ip G.H.I.K (1000)
to their ip Q.R.S.T(80).  I would not worry about the source.   

What I would ask is way are they picking random destination ports?  I
think that the answer would be that they are fishing for a response.  We
have custom ports that we allow our "Extranet" users to come in on.  I
would suspect that "they" are poking around looking for a response.

Nick Giesinger
SHL SystemHouse LTD

        -----Original Message-----
        From:   kees () echelon nl [SMTP:kees () echelon nl]
        Sent:   Thursday, September 18, 1997 3:40 PM
        To:     firewall-wizards () nfr net
        Subject:        Port 788 (Was: hitting the "on" switch)


        Marcus J. Ranum wrote:

        > Anyhow, welcome to the list. The floor is yours.

        Thank you :-)

        I'm puzzled by the following log entries from my Cisco (edited):

        Sep  3 21:46:13 tcp A.B.C.D(788) -> Z.Z.Z.116(2148), 1 packet
        Sep  5 05:05:50 tcp A.B.C.D(788) -> Z.Z.Z.116(1596), 1 packet
        Sep  5 18:35:16 tcp A.B.C.D(788) -> Z.Z.Z.116(1564), 1 packet
        Sep  7 01:37:53 tcp A.B.C.D(788) -> Z.Z.Z.116(2144), 1 packet
        Sep  7 08:30:54 tcp A.B.C.D(788) -> Z.Z.Z.116(2488), 1 packet
        Sep  7 23:07:25 tcp A.B.C.D(788) -> Z.Z.Z.116(2336), 1 packet
        Sep  8 05:35:11 tcp A.B.C.D(788) -> Z.Z.Z.116(1600), 1 packet
        Sep  8 06:08:53 tcp A.B.C.D(788) -> Z.Z.Z.116(1540), 1 packet
        Sep  9 01:32:47 tcp E.F.G.H(788) -> Z.Z.Z.116(1560), 1 packet
        Sep  9 01:38:37 tcp E.F.G.H(788) -> Z.Z.Z.116(1560), 1 packet
        Sep  9 19:56:37 tcp A.B.C.D(788) -> Z.Z.Z.116(1752), 1 packet
        Sep 10 03:31:47 tcp A.B.C.D(788) -> Z.Z.Z.116(2396), 1 packet

        In July and August only A.B.C.D was sending these packets; now I
have
        two of them. Any ideas what these guys are trying to do? As far
as I
        know, there are no well-known services using port 788.
        By the way, Z.Z.Z.116 has never been in active use.

        -- 
        Kees Hendrikse                               | email:
kees () echelon nl
                                                     |
        ECHELON consultancy and software development | phone: +31 (0)53
48 36 585
        PO Box 545, 7500AM Enschede, The Netherlands | fax:   +31 (0)53
43 37 415

Current thread:

Port 788 (Was: hitting the "on" switch) Kees Hendrikse (Sep 18)
- Re: Port 788 (Was: hitting the "on" switch) Dave Roberts (Sep 19)
- Re: Port 788 (Was: hitting the "on" switch) BVE (Sep 19)
- <Possible follow-ups>
- RE: Port 788 (Was: hitting the "on" switch) Giesinger, Nick HE0 (Sep 19)