Security Incidents mailing list archives

Re: Ports 25092 / 20869

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 4 Jan 2000 11:34:09 -0800


I typically run netcat to setup a listener:

nc -L -p 25092

This will listen for all connections on that port, then dump the incoming
contents to the screen (or file if redirected).

You've got a 50% chance that they will send data across the connection that
will help you figure out what is going on. For example, if they are trying
to use HTTP, then you'll see the URL, Host:, Referer: (sic), etc.

However, if the protocol expects a banner message before continuing (like
POP, FTP, SMTP, etc.), then you are out of luck.

Rob.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Vanja Hrustic
Sent: Tuesday, January 04, 2000 1:47 AM
To: INCIDENTS () securityfocus com
Subject: Ports 25092 / 20869

Hello!

This is happening for few days already, and I can't figure out what it
is:

==[ IPs are changed ]=====
...
Jan  4 16:34:39 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60165 F=0x4000 T=27
SYN (#7)
Jan  4 16:34:42 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=60421 F=0x4000 T=27
SYN (#7)
Jan  4 16:34:49 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63237 F=0x4000 T=27
SYN (#7)
Jan  4 16:35:01 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.1:62851 200.200.1.1:25092 L=44 S=0x00 I=63749 F=0x4000 T=27
SYN (#7)
Jan  4 16:35:44 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30726 F=0x4000 T=121
SYN (#7)
Jan  4 16:35:47 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=30982 F=0x4000 T=123
SYN (#7)
Jan  4 16:35:53 x kernel: Packet log: input DENY eth1 PROTO=6
203.203.203.2:62535 200.200.1.1:20869 L=48 S=0x00 I=31238 F=0x4000 T=123
SYN (#7)
...
==========================

The "remote" side (university) is less than helpful, they also have a
firewall that doesn't let anything in (so I can't try to 'identify' the
offender:) - it's better to ask a question in here. Does anybody know
what kind of traffic this is? [the hosts generating the traffic do have
valid IPs, and are resolvable]. I also couldn't find anything related to
these ports on the trojan lists.

It starts in the morning (usually around 09am), and happens randomly few
times per day. First thought that came to mind is that some Win95/98 box
is generating that traffic when it is rebooted (or turned on).

Any ideas of which software might cause this?

Thanks in advance.

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

Current thread:

Re: ICMP time exceed in-transit packets White, Tim (Dec 31)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
  - Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
    - Re: ICMP time exceed in-transit packets Christopher Wilson (Jan 02)
    - port 119 Dariusz Zmokly (Jan 03)
    - Re: port 119 Robert Graham (Jan 03)
    - Re: port 119 Thomas Molina (Jan 04)
    - Re: port 119 Vince Vielhaber (Jan 05)
    - Ports 25092 / 20869 Vanja Hrustic (Jan 04)
    - Re: Ports 25092 / 20869 Robert Graham (Jan 04)
    - port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
    - Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
    - Re: port 119 R a v e N (Jan 05)
    - Re: port 119 Scott Laws (Jan 04)
    - Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
    - Computer Forsenics System Administrator (Jan 03)
    - Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
    - traceroute ICMP packets Laszlo Fabian (Jan 04)
    - Re: traceroute ICMP packets M J (Jan 04)
    - Re: traceroute ICMP packets Larry Canup (Jan 18)

(Thread continues...)