Security Incidents mailing list archives
Re: source port 321
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Fri, 28 Jan 2000 15:50:13 -0800
The most likely cause for people probing a non-existent machine is because it exists in a DNS zone somewhere. (I've always put non-existent machines in my zones as a sort of honeypot for this purpose). This machine may have been from a zone transfer, or it could be setup as the mx (mail transfer) record for a zone. 321 looks suspiciously like a "spur-of-the-moment" port number like 123, 12345, 44444, 4321, etc. My advice is to setup a honeypot system. Grab an old 486 and the newest RedHat distro, install EVERYTHING, then go into /etc/inetd.conf and enable all the services. This will give a system that will respond like a christmas tree to port scans, and which will encourage further exloitation to figure out what the hacker is up to (but the newest version should be relatively immune to script kiddies). Running TCPDUMP on the system or some other sniffer would keep a nice record of what people are doing. Running an intrusion detection system would also be nice. Robert Graham Disclaimer: I have no clue either; the above is just my musings on the topic. Disclaimer: My answer is always "grab" a sniffer or "use an IDS" :-) http://www.robertgraham.com/pubs/sniffing-faq.html http://www.robertgraham.com/pubs/network-intrusion-detection.html -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of T.Esting Sent: Friday, January 28, 2000 9:09 AM To: INCIDENTS () securityfocus com Subject: source port 321 I've been tracking a weird port scan for a few months now. It's not terribly fast, and it's almost always pointed at one nonexistent machine on a public subnet for which I'm responsible. The fact that the machine doesn't exist and has been a target for several months is strange enough, in and of itself. The fact that the number of distinct machines probing the same nonexistent address is large and growing is stranger. Add that to the fact that the source port for the probes is, more often than not, 321 and I think something pretty fishy is going on. However, I have yet to find any reference to attack tools, distributed or not, that have that particular port as a signature. Has anyone run into this in the past that can shed some light? TIA. _______________________________________________________ Get 100% FREE Internet Access powered by Excite Visit http://freeworld.excite.com
Current thread:
- Re: Probes to tcp 2766 ('System V Listner') Robert G. Ferrell (Jan 27)
- source port 321 T.Esting (Jan 28)
- Re: source port 321 Robert Graham (Jan 28)
- Re: Probes to tcp 2766 ('System V Listner') Thiago/c0nd0r (Jan 28)
- source port 321 T.Esting (Jan 28)