Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

From: alfaentomega <alfaentomega () yahoo com>
Date: Fri, 27 Dec 2002 00:52:26 -0800 (PST)

--- Pavel Kankovsky <peak () argo troja mff cuni cz> wrote:

On Mon, 23 Dec 2002, alfaentomega wrote:

Hypothesis: one of the services listening on your machine opens a
short-lived listening sockets on an automatically assigned port (ie.
in 1024-5000 range) when it accepts a connection. This would explain
why SYN scan does not trigger it but connect() scan does.

Try this:
  for each port p in 1-1023
     perform a connect() scan of p and 1024-5000

Only a small set of p, perhaps a single value of p--the hypothetic
offending service (see above)--should make the mysterious listening
port appear.


Actually, when I figured out that those ports are always above 1024 and
below 5000, as I've said in my post, I started scanning only this
range, and every time the results were similar. And the only service
listening on my host is nullidentd.

But now I know what I was observing, see Fyodor's answer:
<20021224191816.GA10153 () core lnxnet net>

Thanks.
-Alfaentomega.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: