RE: TCP Src 5635: what is it?

From: Curt Purdy (purdyat_private)
Date: Tue Jul 10 2001 - 10:02:24 PDT

  • Next message: Jordan K Wiens: "Re: Unicode Logs with Ping Activity"

    IMO, this looks like an hping2 scan.  See
    http://project.honeynet.org/scans/arch/scan1.txt for a sample honeynet scan
    that is just the opposite (dest 0 - src high port).  But as they explain,
    the default hping2 is actually (scr 0 - dest high port) as in your case.
    
    Curt Purdy
    Information Systems Engineer
    DP Solutions
    
    -----Original Message-----
    From: rltat_private [mailto:rltat_private]
    Sent: Tuesday, July 10, 2001 10:11 AM
    To: incidentsat_private
    Subject: TCP Src 5635: what is it?
    
    
    Just a little help needed here.  I've been seeing a lot of traffic with
    a source port of 5635 and a destination port of 0.  Searching on google
    yields no significant results.  There were two forums that asked the
    same question and haven't yet gotten an answer.  I asked the posters for
    more information and if there problems had been resolved but I haven't
    gotten a response yet.  So, any help and or insight would be much
    appreciated.
    
    Here's an excerpt from my logs:
    
    Time,Source Addr,Source Port,Dest Addr,Dest Port,TCP/UDP,TCP Flags
    ,,,,,,
    6/28/01 15:41,208.33.170.61
    (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,
    6/28/01 15:41,208.33.170.61
    (cvxp061.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,fin rst psh
    6/28/01 16:55,63.254.34.74 (A010-
    0074.FRDK.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn psh
    6/28/01 17:50,208.33.170.154
    (cvxp154.intrstar.net),5635,Host.In.Our.DMZ,0,TCP,rst
    6/29/01 0:04,63.252.82.9 (A010-
    0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst psh ack
    urg
    6/29/01 0:04,63.252.82.9 (A010-
    0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst
    6/29/01 0:04,63.252.82.9 (A010-
    0009.FTVL.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,rst urg
    6/29/01 7:26,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:26,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:26,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:26,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:26,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:27,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:28,63.255.89.15 (A010-
    0015.HIPT.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,psh urg
    6/29/01 7:34,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:34,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:34,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:34,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    6/29/01 7:35,209.156.206.217 (A020-
    0979.GNBO.splitrock.net),5635,Host.In.Our.DMZ,0,TCP,fin syn rst urg
    
    The TCP flags are varied.  I know it's not indicated here but I didn't
    want to send the entire list of attempts.
    
    There server that these IP's are destined for happens to be a HTTPS
    server.  And these IP's have also established full connections with the
    server.  So I'm not sure if this is an attack or some wacky software mis-
    configuration.
    
    Again, any help and or insight would be appreciated.
    
    Thanks in advance.
    
    -Rick
    
    --------------------------------------
    FREE ANONYMOUS EMAIL!  Sign up now.
    http://www.subdimension.com/freemail
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 10:11:07 PDT