Is one of the machines a SGI Irix machine. SGI uses port 1 for service multiplexing and this may be a communication from the service multiplexor. It can be pretty chatty with it. -----Original Message----- From: Pat Moffitt [mailto:pmoffittat_private] Sent: Thu February 07 2002 16:12 To: Incidents Subject: Why would my machine do this? I noticed in my logs connections to our firewall machine via UDP port 1. I thought that odd and investigated. The packets were not being dropped by IPTABLES, so they had to be related to another connection. This IP address the connection is coming from is a trusted address (my room mate is the administrator of that system). So, I started snort and waited for a response to see what was going on. The results are below. The trusted system is one that we sync our firewalls clock with. We are running Debian with Kernel 2.4.17, IPTables and ntp ver 4.0.99g-2patato2. Why is what looks like ntp trying to connect out on port 1? I don't know anything about ntp packets but they are real close to the ones going out from port 123. Is this something worth exploring further? If so, where do I go next? Thanks, Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. xx.xx.xx.xx = our firewall systems external address. yy.yy.yy.yy = trusted outside system I sync my clock with. Snort -vd 'host yy.yy.yy.yy' provided 02/07-12:21:11.600300 xx.xx.xx.xx:1 -> yy.yy.yy.yy:123 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:76 DF Len: 56 23 04 06 EF 00 00 20 9A 00 00 40 9E CF 6D BB 42 #..... ...@..m.B C0 0D 5F F7 F4 9D 8C 6D C0 0D 5F F7 95 33 D2 95 .._....m.._..3.. C0 0D 5F F7 F4 9D 8C 6D C0 0D 60 37 99 A1 87 A4 .._....m..`7.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/07-12:21:11.637692 yy.yy.yy.yy:123 -> xx.xx.xx.xx:1 UDP TTL:55 TOS:0x0 ID:60398 IpLen:20 DgmLen:76 Len: 56 24 03 06 EF 00 00 17 38 00 00 07 98 A5 5B FA D6 $......8.....[.. C0 0D 5E F4 70 B2 B7 77 C0 0D 60 37 99 A1 87 A4 ..^.p..w..`7.... C0 0D 60 37 88 27 B6 FE C0 0D 60 37 88 2C 4D 65 ..`7.'....`7.,Me =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/07-12:21:11.637848 xx.xx.xx.xx -> yy.yy.yy.yy ICMP TTL:255 TOS:0xC0 ID:16011 IpLen:20 DgmLen:104 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: yy.yy.yy.yy:123 -> xx.xx.xx.xx:1 UDP TTL:55 TOS:0x0 ID:60398 IpLen:20 DgmLen:76 Len: 56 ** END OF DUMP 45 00 00 4C EB EE 00 00 37 11 76 50 yy yy yy yy E..L....7.vP.... xx xx xx xx 00 7B 00 01 00 38 15 B1 24 03 06 EF .....{...8..$... 00 00 17 38 00 00 07 98 A5 5B FA D6 C0 0D 5E F4 ...8.....[....^. 70 B2 B7 77 C0 0D 60 37 99 A1 87 A4 C0 0D 60 37 p..w..`7......`7 88 27 B6 FE C0 0D 60 37 88 2C 4D 65 .'....`7.,Me =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 09:55:01 PST