Security Incidents mailing list archives
Re: Ports 25092 / 20869
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 4 Jan 2000 11:34:09 -0800
I typically run netcat to setup a listener: nc -L -p 25092 This will listen for all connections on that port, then dump the incoming contents to the screen (or file if redirected). You've got a 50% chance that they will send data across the connection that will help you figure out what is going on. For example, if they are trying to use HTTP, then you'll see the URL, Host:, Referer: (sic), etc. However, if the protocol expects a banner message before continuing (like POP, FTP, SMTP, etc.), then you are out of luck. Rob. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Vanja Hrustic Sent: Tuesday, January 04, 2000 1:47 AM To: INCIDENTS () securityfocus com Subject: Ports 25092 / 20869 Hello! This is happening for few days already, and I can't figure out what it is: ==[ IPs are changed ]===== ... Jan 4 16:34:39 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60165 F=0x4000 T=27 SYN (#7) Jan 4 16:34:42 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60421 F=0x4000 T=27 SYN (#7) Jan 4 16:34:49 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63237 F=0x4000 T=27 SYN (#7) Jan 4 16:35:01 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63749 F=0x4000 T=27 SYN (#7) Jan 4 16:35:44 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30726 F=0x4000 T=121 SYN (#7) Jan 4 16:35:47 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30982 F=0x4000 T=123 SYN (#7) Jan 4 16:35:53 x kernel: Packet log: input DENY eth1 PROTO=6 203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=31238 F=0x4000 T=123 SYN (#7) ... ========================== The "remote" side (university) is less than helpful, they also have a firewall that doesn't let anything in (so I can't try to 'identify' the offender:) - it's better to ask a question in here. Does anybody know what kind of traffic this is? [the hosts generating the traffic do have valid IPs, and are resolvable]. I also couldn't find anything related to these ports on the trojan lists. It starts in the morning (usually around 09am), and happens randomly few times per day. First thought that came to mind is that some Win95/98 box is generating that traffic when it is rebooted (or turned on). Any ideas of which software might cause this? Thanks in advance. Vanja Hrustic The Relay Group http://relaygroup.com Technology Ahead of Time
Current thread:
- Re: ICMP time exceed in-transit packets White, Tim (Dec 31)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Re: ICMP time exceed in-transit packets Christopher Wilson (Jan 02)
- port 119 Dariusz Zmokly (Jan 03)
- Re: port 119 Robert Graham (Jan 03)
- Re: port 119 Thomas Molina (Jan 04)
- Re: port 119 Vince Vielhaber (Jan 05)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Ports 25092 / 20869 Vanja Hrustic (Jan 04)
- Re: Ports 25092 / 20869 Robert Graham (Jan 04)
- port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
- Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: port 119 R a v e N (Jan 05)
- Re: port 119 Scott Laws (Jan 04)
- Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
- Computer Forsenics System Administrator (Jan 03)
- Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
- traceroute ICMP packets Laszlo Fabian (Jan 04)
- Re: traceroute ICMP packets M J (Jan 04)
- Re: traceroute ICMP packets Larry Canup (Jan 18)