Re: 33270:trinity connection form port 80 to local machine on port

From: Valdis.Kletnieksat_private
Date: Wed Oct 31 2001 - 09:48:28 PST

  • Next message: Jose Carlos Faial: "Should I be concerned about?"

    On Wed, 31 Oct 2001 16:11:43 +0800, Bradley Filmer <bfilmerat_private>  said:
    > I am curious as to what this might be, I am seeing hits in my iptables
    > logs after visiting certain websites.. mainly 
    > 
    > Oct 29 09:26:15 stealth kernel: IN=eth0 OUT= MAC= "long number"
    > SRC=64.28.67.70 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=46
    > ID=16970 DF PROTO=TCP SPT=80 DPT=33270 WINDOW=15180 RES=0x00 ACK SYN
    > URGP=0
    > This is netbsd.org
    
    Source port 80, an ACK/SYN - looks like you logged the second of a 3-packet
    handshake from your SYN sent to netbsd.org.  33270 was an ephemeral port
    picked by your browser on the fly.
    
    Sequence:
    
    you:33270  ->    netbsd.org:80  SYN
    you:33270  <-    netbsd.org:80  SYN+ACK (the packet you logged)
    you:33270  ->    netbsd.org:80  ACK
    
    > Oct 30 11:35:47 stealth kernel: IN=eth0 OUT= MAC= "long number"
    > SRC=64.58.76.98 DST=my.adr.xxx.xxx LEN=44 TOS=0x00 PREC=0x00 TTL=48
    > ID=9741 DF PROTO=TCP SPT=443 DPT=33270 WINDOW=16560 RES=0x00 ACK SYN
    > URGP=0
    > This is yahoo groups.
    
    Similarly, port 443 is https: (http over SSL).
    
    > Oct 31 09:01:41 stealth kernel: IN=eth0 OUT= MAC= "long number"
    > SRC=204.152.186.171 DST=my.adr.xxx.xxx LEN=56 TOS=0x00 PREC=0x00 TTL=51
    > ID=23555 PROTO=TCP SPT=80 DPT=33270 WINDOW=32768 RES=0x00 ACK SYN URGP=0
    > This is mysql.org
    
    More of same.
    
    > Always 5 hits and I cant tell you how long after. I have checked port
    
    I can't comment on "always 5 hits" because you don't show the logs.
    Perhaps you're filtering something incorrectly, causing a retransmit of
    the SYN+ACK packet at the far end.
    
    > Looking for paranoia in all the right places
    
    And then some, based on what I see.  Maybe seeing all 5 hits might
    show something I'm not seeing here, but I'm guessing that it's a broken
    iptables config logging things that it shouldnt.
    
    -- 
    				Valdis Kletnieks
    				Operating Systems Analyst
    				Virginia Tech
    
    
    
    



    This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 09:52:03 PST