Port 111 Traffic

From: Tim Brown (tim.brownat_private)
Date: Tue Dec 11 2001 - 11:54:25 PST

Next message: Seamus Hartmann: "Internal Machine making many attempts to connect to Internet on 1 37"

Previous message: Lance Spitzner: "Know Your Enemy: Honeynets"
Next in thread: Tim Brown: "Re: Port 111 Traffic"
Reply: Tim Brown: "Re: Port 111 Traffic"
Reply: Michael Ward: "RE: Port 111 Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This information was generated by snoop on Solaris.  Any ideas?  See 
bottom of message for a single verbose packet capture.
nnn.nnn = the not so innocent IP.

nnn.nnn.213.13 -> 0.47.0.205   TCP D=111 S=33399 Syn Seq=2559250306 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.204   TCP D=111 S=33398 Syn Seq=2559160482 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.37   TCP D=111 S=59773 Rst Seq=2178778586 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.207   TCP D=111 S=33401 Syn Seq=2559361718 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.208   TCP D=111 S=33402 Syn Seq=2559390097 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.209   TCP D=111 S=33403 Syn Seq=2559476442 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.38   TCP D=111 S=59774 Rst Seq=2178892699 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.42   TCP D=111 S=59778 Rst Seq=2179194372 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.215   TCP D=111 S=33409 Syn Seq=2559700481 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.214   TCP D=111 S=33408 Syn Seq=2559656916 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.43   TCP D=111 S=59779 Rst Seq=2179223246 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.216   TCP D=111 S=33410 Syn Seq=2559772250 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.44   TCP D=111 S=59780 Rst Seq=2179342238 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.218   TCP D=111 S=33412 Syn Seq=2559854823 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.45   TCP D=111 S=59781 Rst Seq=2179387236 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.46   TCP D=111 S=59782 Rst Seq=2179459169 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.219   TCP D=111 S=33413 Syn Seq=2559861661 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.48   TCP D=111 S=59784 Rst Seq=2179596754 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.221   TCP D=111 S=33415 Syn Seq=2559922066 
Len=0 Win=8760
nnn.nnn.213.11 -> 0.181.0.50   TCP D=111 S=59786 Rst Seq=2179755204 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.226   TCP D=111 S=33420 Syn Seq=2560346165 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.227   TCP D=111 S=33421 Syn Seq=2560403095 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.235   TCP D=111 S=33429 Syn Seq=2561000060 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.233   TCP D=111 S=33427 Syn Seq=2560897528 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.237   TCP D=111 S=33431 Syn Seq=2561153509 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.238   TCP D=111 S=33432 Syn Seq=2561195283 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.240   TCP D=111 S=33434 Syn Seq=2561332283 
Len=0 Win=8760
nnn.nnn.213.13 -> 0.47.0.242   TCP D=111 S=33436 Syn Seq=2561468508 
Len=0 Win=8760
nnn.nnn.213.32 -> 0.123.0.55   TCP D=111 S=56202 Rst Seq=240026718 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.57   TCP D=111 S=56204 Rst Seq=240210073 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.58   TCP D=111 S=56205 Rst Seq=240300794 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.59   TCP D=111 S=56206 Rst Seq=240409147 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.60   TCP D=111 S=56207 Rst Seq=240429542 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.61   TCP D=111 S=56208 Rst Seq=240433968 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.62   TCP D=111 S=56209 Rst Seq=240477791 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.65   TCP D=111 S=56212 Rst Seq=240763588 Len=0 
Win=8760
nnn.nnn.213.32 -> 0.123.0.72   TCP D=111 S=56219 Rst Seq=241169371 Len=0 
Win=8760

Verbose Output of one packet:

ETHER:  ----- Ether Header -----
ETHER: 
ETHER:  Packet 6 arrived at 14:48:18.30
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 0:10:7:dc:38:60,
ETHER:  Source      = 0:e0:3n:nn:nn:nn,
ETHER:  Ethertype = 0800 (IP)
ETHER: 
IP:   ----- IP Header -----
IP:  
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 40 bytes
IP:   Identification = 7932
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 251 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = f5c2
IP:   Source address = nnn.nnn.213.11, nnn.nnn.213.11
IP:   Destination address = 0.57.0.36, 0.57.0.36
IP:   No options
IP:  
TCP:  ----- TCP Header -----
TCP: 
TCP:  Source port = 33596
TCP:  Destination port = 111
TCP:  Sequence number = 3073870737
TCP:  Acknowledgement number = 0
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x04
TCP:        ..0. .... = No urgent pointer
TCP:        ...0 .... = No acknowledgement
TCP:        .... 0... = No push
TCP:        .... .1.. = Reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 8760
TCP:  Checksum = 0x5c23
TCP:  Urgent pointer = 0
TCP:  No options
TCP: 

-- 

Tim 




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Seamus Hartmann: "Internal Machine making many attempts to connect to Internet on 1 37"
Previous message: Lance Spitzner: "Know Your Enemy: Honeynets"
Next in thread: Tim Brown: "Re: Port 111 Traffic"
Reply: Tim Brown: "Re: Port 111 Traffic"
Reply: Michael Ward: "RE: Port 111 Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 12:39:24 PST