Why would my machine do this?

["Pat Moffitt" <pmoffitt () wrv com>]

I noticed in my logs connections to our firewall machine via UDP port 1.  I
thought that odd and investigated.

The packets were not being dropped by IPTABLES, so they had to be related to
another connection.  This IP address the connection is coming from is a
trusted address (my room mate is the administrator of that system). So, I
started snort and waited for a response to see what was going on.  The
results are below.

The trusted system is one that we sync our firewalls clock with.

We are running Debian with Kernel 2.4.17, IPTables and ntp ver
4.0.99g-2patato2.

Why is what looks like ntp trying to connect out on port 1?  I don't know
anything about ntp packets but they are real close to the ones going out
from port 123.  Is this something worth exploring further? If so, where do I
go next?

Thanks,

Pat Moffitt
MIS Administrator
Western Recreational Vehicles, Inc.



xx.xx.xx.xx = our firewall systems external address.
yy.yy.yy.yy = trusted outside system I sync my clock with.

Snort -vd 'host yy.yy.yy.yy' provided

02/07-12:21:11.600300 xx.xx.xx.xx:1 -> yy.yy.yy.yy:123
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:76 DF
Len: 56
23 04 06 EF 00 00 20 9A 00 00 40 9E CF 6D BB 42  #..... ...@..m.B
C0 0D 5F F7 F4 9D 8C 6D C0 0D 5F F7 95 33 D2 95  .._....m.._..3..
C0 0D 5F F7 F4 9D 8C 6D C0 0D 60 37 99 A1 87 A4  .._....m..`7....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/07-12:21:11.637692 yy.yy.yy.yy:123 -> xx.xx.xx.xx:1
UDP TTL:55 TOS:0x0 ID:60398 IpLen:20 DgmLen:76
Len: 56
24 03 06 EF 00 00 17 38 00 00 07 98 A5 5B FA D6  $......8.....[..
C0 0D 5E F4 70 B2 B7 77 C0 0D 60 37 99 A1 87 A4  ..^.p..w..`7....
C0 0D 60 37 88 27 B6 FE C0 0D 60 37 88 2C 4D 65  ..`7.'....`7.,Me

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/07-12:21:11.637848 xx.xx.xx.xx -> yy.yy.yy.yy
ICMP TTL:255 TOS:0xC0 ID:16011 IpLen:20 DgmLen:104
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
yy.yy.yy.yy:123 -> xx.xx.xx.xx:1
UDP TTL:55 TOS:0x0 ID:60398 IpLen:20 DgmLen:76
Len: 56
** END OF DUMP
45 00 00 4C EB EE 00 00 37 11 76 50 yy yy yy yy  E..L....7.vP....
xx xx xx xx 00 7B 00 01 00 38 15 B1 24 03 06 EF  .....{...8..$...
00 00 17 38 00 00 07 98 A5 5B FA D6 C0 0D 5E F4  ...8.....[....^.
70 B2 B7 77 C0 0D 60 37 99 A1 87 A4 C0 0D 60 37  p..w..`7......`7
88 27 B6 FE C0 0D 60 37 88 2C 4D 65              .'....`7.,Me

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com