RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

[Charles.Fasching () milestonesystems com]

What OS are you scanning?  Is it running RPC services or DCE services 
(Microsoft's RPC - such as an exchange server)?  That can lead to the 
type of behavior that you are seeing.

Chuck “Spence” Fasching
Systems Engineer
Milestone Systems, Inc.
charles.fasching () milestonesystems com
952.543.6999 xt 111


-----Original Message-----
From: alfaentomega [mailto:alfaentomega () yahoo com] 
Sent: Monday, December 23, 2002 11:34 PM
To: incidents
Subject: Random unprivileged TCP ports below 5000 kind-of open for a 
fraction of a second

Hello All, it's my first post here.

I have a strange problem, which I've never seen
before,  and never even read about. I hope someone
will be able to help me, because my every try to find
it out by myself failed.

I scanned localhost TCP ports with nmap and I saw that
there's a service listening which I should not have.
When I did it once again, it was gone. I did few other
scans, and there was nothing more than it should be,
but I was already very suspicious.

I found out that by default nmap doesn't scan every
port (before that I thought every port is scanned
without explicite -p), so I ran "nmap -p1- localhost"
and every time I saw something betwen 0 and 3 (usually
there were 2) ports which were reported by nmap as
open, but during the scan there was "Strange read
error from 127.0.0.1 (104): Operation now in progress"
for every one of them.

I wanted to check out what is opening those ports, but
"netstat -tulp" or "lsof -i -n" never shows them (I
ran netstat and lsof with different options in long
loops many times, to make sure to see those ports,
even if they are open only for a fraction of a second,
but I never saw anything).

First I thought that it could be some strange nmap
bug, so I tried other scanning methods, like netcat
scan: "nc -vzw2 localhost 1-65535"

Netcat shows normally open ports as "localhost
[127.0.0.1] 113 (auth) open" but these strange ports
are reported as, e.g. "localhost [127.0.0.1] 4546 (?)
: Connection reset by peer"

First I thought that they may be some ports, which are
kind-of open, but they never finish TCP handshake, but
they are detected only with basic nmap scan -sT, a TCP
connect() scan, and never by any other kind of scan,
like -sS SYN half-open scan (if they never finish the
handshake, then it would make more sense if -sS
detects them, while -sT thinks they're closed, not the
other way around - but I may be wrong here).

Here are other of my observations:
I ran nmap in a loop scanning TCP ports 1-10000 every
time (first it scanned 1-65535 but higher ports were
never open), and for 1000 ports found, there was 875
unique ones, with lowest 1036 and highest 4989, so
they look quite randomly distributed in this range.

It doesn't matter if I scan 128.0.0.1 or my temporary
dialup IP, also other people scanning me remotely from
the Internet are finding those strange not-quite-open
ports.

So, this is pretty much everything I know.

I was searching the Web and trying to get some help on
IRC, but unfortunately no one knew what I was talking
about. All I've found was Max Gribov's problem, posted
here on Mar 26 2001, which seems to be the same as
what I have here:
http://lists.insecure.org/lists/incidents/2001/Mar/0256.html

There was one answer telling "You are seeing your own
port scan and a clear demonstration why nmap to a
localhost is not the best thing to do" which is not
correct, because those ports are visible also on
remote scans (and besides nmap looks for open
listening ports and scanning doesn't open any ports
for listening to incoming handshakes).

Other answer was "I have seen times where certain
linux boxes running X windows will do that but nothing
that frequent" but with no more info. Should I not
worry, because my box seems to be just a certain Linux
box running X, or maybe those certain Linux boxes had
some problems other than just running X on Linux?

So, there actually was no meaningful answer to this
question. If anyone knows where to look for the
answer, please point me to any relevant text I should
read.

Of course I'll be glad if anyone posts some quick
method to fix it, however I'd rather RTFM and know
what's going on, because I'm getting a little bit
paranoid when I don't.

Was my system compromised? Is there some stealth
backdoor listening on those random ports, which would
open a normal TCP connection if only the source port
and IP match the right values?

Something like "nc -lp 3333 127.0.0.1 3334" which
would drop the connection from anywhere alse than
127.0.0.1:3334, but done in more fancy way, with a
direct control over TCP/IP stack and the actual
handshake? But if so, then why doesn't it look as a
normal closed port? And why half-open SYN scan shows
it as closed, unlike the full open TCP scan?

Such a netcat listening as above, is normally detected
as open port by half-open SYN, stealth FIN, Xmas Tree,
and Null scans, while being detected as open and being
closed by TCP connect() scan. Here what I observed is
totally different, I only suspect that those port
could be possible to open from some attackers IP:port,
but maybe I'm being too paranoid.

Half a year ago ago, my outdated Debian Potato box was
compromised. Since then, I've read quite a few books
and even more online texts about the systems and
network security, and started to be extremely
paranoid.

Now I have an up-to-date Debian 3.0 Woody stable
release, with every security update and with no
unneeded services listening. Almost every software is
installed from official Debian Woody packages, the
only thing I got in /usr/local is mplayer.

A remote login is impossible (it's my personal desktop
box with ppp dialup network connection, to which no
one has any access but me) and still I have long and
random passwords which crack and john are unable to
crack in weeks, having access to /etc/shadow. What
else can I do? I almost can hear Bruce Schneier saying
"Nothing, you're screwed." But really, is having
updated Debian stable as a desktop system not being
paranoid enough? I'm starting to loose any hope.

I really hope that someone will answer something like
"oh, this is only a bug in your kernel/library/etc."
but I have a bad feeling. Sorry for writing such a
long post, but I wanted to write everything I found
out myself about the problem, so you wouldn't have to
waste your time asking about things which I should
write in the first place and without which you're
unable to answer my questions.

Thanks a lot.

By the way, it's a really great list, I often find
many things I need in the archives of this one and
other SecurityFocus mailing lists. Thanks.

Marry Xmas and Happy new Year!

-Alfaentomega.



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com