Security Incidents mailing list archives

Re: source port 321

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Fri, 28 Jan 2000 15:50:13 -0800


The most likely cause for people probing a non-existent machine is because
it exists in a DNS zone somewhere. (I've always put non-existent machines in
my zones as a sort of honeypot for this purpose).

This machine may have been from a zone transfer, or it could be setup as the
mx (mail transfer) record for a zone.

321 looks suspiciously like a "spur-of-the-moment" port number like 123,
12345, 44444, 4321, etc.

My advice is to setup a honeypot system. Grab an old 486 and the newest
RedHat distro, install EVERYTHING, then go into /etc/inetd.conf and enable
all the services. This will give a system that will respond like a christmas
tree to port scans, and which will encourage further exloitation to figure
out what the hacker is up to (but the newest version should be relatively
immune to script kiddies). Running TCPDUMP on the system or some other
sniffer would keep a nice record of what people are doing. Running an
intrusion detection system would also be nice.

Robert Graham

Disclaimer: I have no clue either; the above is just my musings on the
topic.

Disclaimer: My answer is always "grab" a sniffer or "use an IDS" :-)
http://www.robertgraham.com/pubs/sniffing-faq.html
http://www.robertgraham.com/pubs/network-intrusion-detection.html

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of T.Esting
Sent: Friday, January 28, 2000 9:09 AM
To: INCIDENTS () securityfocus com
Subject: source port 321

  I've been tracking a weird port scan for a few months now.  It's not
terribly fast, and it's almost always pointed at one nonexistent machine on
a public subnet for which I'm responsible.  The fact that the machine
doesn't exist and has been a target for several months is strange enough, in
and of itself.  The fact that the number of distinct machines probing the
same nonexistent address is large and growing is stranger.  Add that to the
fact that the source port for the probes is, more often than not, 321 and I
think something pretty fishy is going on.  However, I have yet to find any
reference to attack tools, distributed or not, that have that particular
port as a signature.

  Has anyone run into this in the past that can shed some light?

  TIA.

_______________________________________________________
Get 100% FREE Internet Access powered by Excite
Visit http://freeworld.excite.com

Current thread:

Re: Probes to tcp 2766 ('System V Listner') Robert G. Ferrell (Jan 27)
- source port 321 T.Esting (Jan 28)
  - Re: source port 321 Robert Graham (Jan 28)
- Re: Probes to tcp 2766 ('System V Listner') Thiago/c0nd0r (Jan 28)