RE: Syn probes at port 100008

From: Dave Elfering (elferingat_private)
Date: Tue May 15 2001 - 12:00:23 PDT

Next message: James W. Abendschan: "Re: 'FrogEater'"

Previous message: Crist Clark: "Re: Port 10008"
Maybe in reply to: Henri J. Schlereth: "Syn probes at port 100008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just ran a big, hairy grep on several months of Checkpoint logs.

What I think I'm seeing is that Firewall-1 seems to pick port 10008 a lot as
the translated source port "xlatesport 10008"

Maybe this is a redherring, I dunno since nothing comes to mind as to why
this might be relevant. 

It did strike me odd to find that as a frequent translate source port. Then
again if you're into numerology you can make strange arguments about the
assassination of Lincoln :)

-Dave


-----Original Message-----
From: Lance Spitzner [mailto:lanceat_private]
Sent: Tuesday, May 15, 2001 9:39 AM
To: Henri J. Schlereth
Cc: incidentsat_private
Subject: Re: Syn probes at port 100008


On Tue, 15 May 2001, Henri J. Schlereth wrote:

>  I am starting to see syn probes on port 10008. I cant seem to find
>  any references as to what uses that port. I know I am not.
>
>  05-14-2001  Mo  11:47:54  209.205.30.10                   10008
>  05-14-2001  Mo  14:11:25  210.206.177.138                 10008
>  05-14-2001  Mo  19:46:48  211.21.142.65                   10008
>  05-15-2001  Tu  00:26:48  194.102.188.134                 10008

Our Honeynet recently picked up these scans.  Below is the snort capture.
Based on passive OS fingerprinting, it appears the source system is Linux.
We received port 10008 scans from three different systems, all source
signatures
were the same.  This implies the scan may be for Unix based vulnerabilities
or backdoor.

lance

-*> Snort! <*-
Version 1.7
By Martin Roesch (roeschat_private, www.snort.org)

        --== Initializing Snort ==--
TCPDUMP file reading mode.
Reading network traffic from "snort-0514at_private" file.
snaplen = 1514

        --== Initialization Complete ==--
05/14-04:45:01.954393 200.204.170.212:2394 -> 172.16.1.102:10008
TCP TTL:48 TOS:0x0 ID:28181 IpLen:20 DgmLen:60 DF
******S* Seq: 0x19C1BA52  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.961927 172.16.1.102:10008 -> 200.204.170.212:2394
TCP TTL:46 TOS:0x0 ID:32915 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0x19C1BA53  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.967340 200.204.170.212:2396 -> 172.16.1.104:10008
TCP TTL:48 TOS:0x0 ID:28183 IpLen:20 DgmLen:60 DF
******S* Seq: 0x19A0AB8D  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.970390 172.16.1.104:10008 -> 200.204.170.212:2396
TCP TTL:46 TOS:0x0 ID:32916 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0x19A0AB8E  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/14-04:45:01.979359 200.204.170.212:2398 -> 172.16.1.106:10008
TCP TTL:48 TOS:0x0 ID:28185 IpLen:20 DgmLen:60 DF
******S* Seq: 0x19CA6878  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 42499815 0 NOP WS: 0

Next message: James W. Abendschan: "Re: 'FrogEater'"
Previous message: Crist Clark: "Re: Port 10008"
Maybe in reply to: Henri J. Schlereth: "Syn probes at port 100008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 22:04:20 PDT