Security Incidents mailing list archives
Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
From: alfaentomega <alfaentomega () yahoo com>
Date: Fri, 27 Dec 2002 00:52:26 -0800 (PST)
--- Pavel Kankovsky <peak () argo troja mff cuni cz> wrote:
On Mon, 23 Dec 2002, alfaentomega wrote: Hypothesis: one of the services listening on your machine opens a short-lived listening sockets on an automatically assigned port (ie. in 1024-5000 range) when it accepts a connection. This would explain why SYN scan does not trigger it but connect() scan does. Try this: for each port p in 1-1023 perform a connect() scan of p and 1024-5000 Only a small set of p, perhaps a single value of p--the hypothetic offending service (see above)--should make the mysterious listening port appear.
Actually, when I figured out that those ports are always above 1024 and below 5000, as I've said in my post, I started scanning only this range, and every time the results were similar. And the only service listening on my host is nullidentd. But now I know what I was observing, see Fyodor's answer: <20021224191816.GA10153 () core lnxnet net> Thanks. -Alfaentomega. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 24)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Fyodor (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- <Possible follow-ups>
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second alfaentomega (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Charles . Fasching (Dec 27)
- RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Hornat, Charles (Dec 27)
- Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Pavel Kankovsky (Dec 27)