so i just found that one of my hosts is GENERATING these probe pairs, maybe every minute or two (note the sequence numbers): seq my host victim(s) --- ---------------- --------------- 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 40) 192.168.0.2:1125 <--> 216.52.3.4:2703 49) 192.168.0.2:1129 <--> 216.52.3.2:2703 50) 192.168.0.2:1130 <--> 216.52.3.4:2703 71) 192.168.0.2:1136 <--> 216.52.3.2:2703 72) 192.168.0.2:1137 <--> 216.52.3.4:2703 83) 192.168.0.2:1141 <--> 216.52.3.2:2703 84) 192.168.0.2:1142 <--> 216.52.3.4:2703 the host in the 1918 space is mine. the gap in the sequential scan is because those ports were otherwise occupied. a single probe looks like 21:30:32.310999 192.168.0.2.1141 > 216.52.3.2.2703: S 2059265893:2059265893(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,timestamp 54731668 0> (DF) 21:30:32.477021 216.52.3.2.2703 > 192.168.0.2.1141: S 1009079948:1009079948(0) ack 2059265894 win 5792 <mss 1460,nop,nop,timestamp 1121328035 54731668,nop,wscale 0> (DF) 21:30:32.477061 192.168.0.2.1141 > 216.52.3.2.2703: . ack 1 win 57920 <nop,nop,timestamp 54731685 1121328035> (DF) 21:30:32.687121 216.52.3.2.2703 > 192.168.0.2.1141: P 1:36(35) ack 1 win 5792 <nop,nop,timestamp 1121328056 54731685> (DF) 21:30:32.687728 192.168.0.2.1141 > 216.52.3.2.2703: P 1:13(12) ack 36 win 57920 <nop,nop,timestamp 54731706 1121328056> (DF) 21:30:33.027105 216.52.3.2.2703 > 192.168.0.2.1141: . ack 13 win 5792 <nop,nop,timestamp 1121328074 54731706> (DF) 21:30:33.028032 216.52.3.2.2703 > 192.168.0.2.1141: P 36:90(54) ack 13 win 5792 <nop,nop,timestamp 1121328074 54731706> (DF) 21:30:33.028724 192.168.0.2.1141 > 216.52.3.2.2703: P 13:25(12) ack 90 win 57920 <nop,nop,timestamp 54731740 1121328074> (DF) 21:30:33.187272 216.52.3.2.2703 > 192.168.0.2.1141: P 90:141(51) ack 25 win 5792 <nop,nop,timestamp 1121328108 54731740> (DF) 21:30:33.196247 192.168.0.2.1141 > 216.52.3.2.2703: P 25:30(5) ack 141 win 57920 <nop,nop,timestamp 54731757 1121328108> (DF) 21:30:33.427044 216.52.3.2.2703 > 192.168.0.2.1141: R 141:141(0) ack 30 win 5792 <nop,nop,timestamp 1121328130 54731757> (DF) iana says port 2703 is sms-chat. google for "sms-chat protocol" produces two hacker texts in deutsch, which i tried to wade through but it was a lot of cryptic twisty passages. sms seems to be some sort of microsloth protocol. and, from samba-land docs "The version of netmon that ships with SMS allows for dumping packets between any two computers (i.e. placing the network interface in promiscuous mode)" now the host doing the probes o is the only one of my hosts doing it o is the only one of my hosts running samba, 2.2.8a no ports are in promiscuous mode, that i can see (i.e. ifconfig could have been hacked). clues? randy
Randy Bush wrote:> seq my host victim(s) > --- ---------------- --------------- > 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 > 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 > 39) 192.168.0.2:1124 <--> 216.52.3.2:2703Those hosts are at cloudmark.com, which gets used by spamassassin (or some part of it). Port 2703 is Razor2 <http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_recurse=1&file=16> - so that fits as well. Unless you're not using spamassassin or razor2 or something similar, don't think there's anything to worry about... Do the times of the probes match up with times when mail is received? -- Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030909/c3bae49c/attachment.bin
Hello Randy, Tuesday, September 09, 2003, 9:20:36 AM, you wrote: RB> clues? try to identify process that sends this packets. Use lsof or sockstat for that. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru
>> seq my host victim(s) >> --- ---------------- --------------- >> 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 >> 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 >> 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 > > Those hosts are at cloudmark.com, which gets used by > spamassassin (or some part of it). Port 2703 is Razor2 > <http://www.sng.ecs.soton.ac.uk/cgi-bin/faq?_recurse=1&file=16> - so > that fits as well.<doh!> thanks. so tell me, why does the iana think port 2703 is sms-chat? i.e., why is the port used by razor2 not properly registered as a well known port? randy
>>> IANA doesn't automagically know who uses what port unless >>> someone tells them I thought. >> exactly. there is a process to get a port number assigned. >> <http://www.iana.org/cgi-bin/sys-port-number.pl> > Thanks for following up to your own message Randy, you saved me > the trouble. I was actually kind of confused by your message this > morning, since you of all people should have known the answers to > your own questions. :)it's my form of a troll.> The only thing I'd add to this is that the sockstat utility in > freebsd makes it trivial to determine what application is holding > a given port.the connection was flying by very quickly. and the operator was many hours from coffee. randy
Seemingly Similar Threads
- RFC: Implement variable-sized register classes
- RFC: Implement variable-sized register classes
- [Bug 616] New: Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 616] Duplicate rules for multi-homed hostnames. IPv4 and IPv6 inconsistent treatment.
- [Bug 2703] New: Incorrect message during installation on Windows.