Strange traffic...

From: John Oliver (john.oliverat_private)
Date: Fri Jan 11 2002 - 13:46:29 PST

  • Next message: Mark Tinberg: "Re: Strange traffic..."

    I noticed one of my clients' machines seeing a lot more traffic than
    normal.  tcpdump on the firewall got me stuff like:
    
    13:27:20.932382 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
    487424:488884(1460) ack 1 win 17520 (DF)
    13:27:20.932530 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: .
    487424:488884(1460) ack 1 win 17520 (DF)
    13:27:20.933615 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
    488884:490344(1460) ack 1 win 17520 (DF)
    13:27:20.933757 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: .
    488884:490344(1460) ack 1 win 17520 (DF)
    13:27:20.934845 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: P
    490344:491804(1460) ack 1 win 17520 (DF)
    13:27:20.934983 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: P
    490344:491804(1460) ack 1 win 17520 (DF)
    13:27:20.936076 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: .
    491804:493264(1460) ack 1 win 17520 (DF)
    13:27:20.936214 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: .
    491804:493264(1460) ack 1 win 17520 (DF)
    13:27:20.936835 eth0 < skurup.datlab.bth.se.3509 > hostx.4059: P
    494724:495616(892) ack 1 win 17520 (DF)
    13:27:20.936968 eth1 > skurup.datlab.bth.se.3509 > hostx.4059: P
    494724:495616(892) ack 1 win 17520 (DF)
    
    And:
    
    13:27:21.224434 eth0 < gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: .
    432432:433892(1460) ack 1 win 17520 (DF)
    13:27:21.224585 eth1 > gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: .
    432432:433892(1460) ack 1 win 17520 (DF)
    13:27:21.225191 eth0 < gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: P
    433892:434784(892) ack 1 win 17520 (DF)
    13:27:21.225324 eth1 > gfsv006.mpikg-golm.mpg.de.1749 > hostx.2800: P
    433892:434784(892) ack 1 win 17520 (DF)
    
    I can't find any references to port 2800 or 4059, at least in Google. 
    Is there a better source to search for possible intrusion attempts?
    
    nmap for hostx says:
    
    Starting nmap V. 2.53 by fyodorat_private ( www.insecure.org/nmap/ )
     Interesting ports on hostx (www.xxx.yyy.zzz):
    (The 65512 ports scanned but not shown below are in state: closed)
    Port       State       Service
    21/tcp     open        ftp                     
    80/tcp     open        http                    
    99/tcp     open        metagram                
    135/tcp    open        loc-srv                 
    139/tcp    open        netbios-ssn             
    443/tcp    open        https                   
    808/tcp    open        unknown                 
    881/tcp    open        unknown                 
    1029/tcp   open        unknown                 
    1081/tcp   open        unknown                 
    1082/tcp   open        unknown                 
    1083/tcp   open        ansoft-lm-1             
    1433/tcp   open        ms-sql-s                
    1720/tcp   filtered    unknown                 
    2080/tcp   open        unknown                 
    2429/tcp   open        unknown                 
    4080/tcp   open        unknown                 
    4899/tcp   open        unknown                 
    5631/tcp   open        pcanywheredata          
    31333/tcp  open        unknown                 
    44442/tcp  open        unknown                 
    44443/tcp  open        unknown                 
    65301/tcp  open        pcanywhere              
    
    Nmap run completed -- 1 IP address (1 host up) scanned in 212 seconds
    
    Hostx is an NT Server 4.0 box, SP6a, running IIS, Cold Fusion, and some
    other webhosting-related stuff.I'm not extremely familiar with NT, so
    could use some thoughts here.
    
    -- 
    John Oliver
    System Administrator
    hosting.com, an Allegiance Telecom company
    mailto:john.oliverat_private
    (858) 637-3600
    http://www.hosting.com/
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 15:00:14 PST