TCP Src 5635: what is it?

From: rlt (rltat_private)
Date: Tue Jul 10 2001 - 08:11:28 PDT

Next message: myrddin_eat_private: "Unicode Logs with Ping Activity"

Previous message: Gossi The Dog: "Advanced IIS unicode scanning?"
Next in thread: Curt Purdy: "RE: TCP Src 5635: what is it?"
Reply: Curt Purdy: "RE: TCP Src 5635: what is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just a little help needed here.  I've been seeing a lot of traffic with 
a source port of 5635 and a destination port of 0.  Searching on google 
yields no significant results.  There were two forums that asked the 
same question and haven't yet gotten an answer.  I asked the posters for 
more information and if there problems had been resolved but I haven't 
gotten a response yet.  So, any help and or insight would be much 
appreciated.

Here's an excerpt from my logs:

Time,Source Addr,Source Port,Dest Addr,Dest Port,TCP/UDP,TCP Flags
,,,,,,
6/28/01 15:41,208.33.170.61 
(cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,
6/28/01 15:41,208.33.170.61 
(cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,fin rst psh
6/28/01 16:55,63.254.34.74 (A010-
0074.FRDK.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn psh
6/28/01 17:50,208.33.170.154 
(cvxp154.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,rst
6/29/01 0:04,63.252.82.9 (A010-
0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst psh ack 
urg
6/29/01 0:04,63.252.82.9 (A010-
0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst
6/29/01 0:04,63.252.82.9 (A010-
0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,rst urg
6/29/01 7:26,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:26,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:26,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:26,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:26,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:27,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:28,63.255.89.15 (A010-
0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,psh urg
6/29/01 7:34,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:34,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:34,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:34,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
6/29/01 7:35,209.156.206.217 (A020-
0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg

The TCP flags are varied.  I know it's not indicated here but I didn't 
want to send the entire list of attempts.

There server that these IP's are destined for happens to be a HTTPS 
server.  And these IP's have also established full connections with the 
server.  So I'm not sure if this is an attack or some wacky software mis-
configuration.

Again, any help and or insight would be appreciated.

Thanks in advance.

-Rick

--------------------------------------
FREE ANONYMOUS EMAIL!  Sign up now.
http://www.subdimension.com/freemail


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: myrddin_eat_private: "Unicode Logs with Ping Activity"
Previous message: Gossi The Dog: "Advanced IIS unicode scanning?"
Next in thread: Curt Purdy: "RE: TCP Src 5635: what is it?"
Reply: Curt Purdy: "RE: TCP Src 5635: what is it?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 09:22:33 PDT