Application Scanning 1033/tcp?

From: Crist J. Clark (crist.clarkat_private)
Date: Fri May 31 2002 - 14:46:05 PDT

  • Next message: Ned Lowe: "Re: Application Scanning 1033/tcp?" 

    We've been regularly scanned on port 1033/tcp by a wide variety of IP
addresses For example, here are abreviated scans from today between
13:00 and 14:00 PDT,

  13:00:08.081482 24-109-22-40.ivideon.com.4092 > my.firewall.com.1033: S 4162272443:4162272443(0) win 64240  (DF)
  13:00:31.773412 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S 4170831855:4170831855(0) win 64240  (DF)
  13:00:34.822231 24-109-22-40.ivideon.com.4098 > my.firewall.com.1033: S 4170831855:4170831855(0) win 64240  (DF)
  13:00:36.899623 24-109-22-40.ivideon.com.4102 > my.firewall.com.1033: S 4172312999:4172312999(0) win 64240  (DF)
  .
  .
  .
  13:59:41.964667 24-109-22-40.ivideon.com.4745 > my.firewall.com.1033: S 816514957:816514957(0) win 64240  (DF)
  13:59:53.056863 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240  (DF)
  13:59:56.023444 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240  (DF)
  14:00:02.049422 24-109-22-40.ivideon.com.4749 > my.firewall.com.1033: S 821747116:821747116(0) win 64240  (DF)

  13:21:54.705383 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
  13:21:57.607638 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
  13:22:03.609713 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
  13:22:15.610063 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26214 > my.firewall.com.1033: S 12247167:12247167(0) win 8192  (DF)
  .
  .
  .
  13:47:47.681693 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
  13:47:50.602002 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
  13:47:56.600538 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)
  13:48:08.599116 evrtwa1-ar8-4-62-057-037.evrtwa1.dsl-verizon.net.26702 > my.firewall.com.1033: S 13800380:13800380(0) win 8192  (DF)

  13:51:55.458288 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240  (DF)
  13:51:58.402493 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240  (DF)
  13:52:04.290740 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4954 > my.firewall.com.1033: S 2637612177:2637612177(0) win 64240  (DF)
  13:52:25.392798 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4956 > my.firewall.com.1033: S 2645190207:2645190207(0) win 64240  (DF)
  .
  .
  .
  13:54:06.067548 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4975 > my.firewall.com.1033: S 2669006106:2669006106(0) win 64240  (DF)
  13:54:06.073626 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4974 > my.firewall.com.1033: S 2668952197:2668952197(0) win 64240  (DF)
  13:54:06.078158 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4973 > my.firewall.com.1033: S 2668896132:2668896132(0) win 64240  (DF)
  13:54:06.269224 adsl-64-164-173-196.dsl.lsan03.pacbell.net.4976 > my.firewall.com.1033: S 2669108864:2669108864(0) win 64240  (DF)

  13:26:52.440778 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
  13:26:55.352418 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
  13:27:01.348100 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)
  13:27:13.346008 adsl-66-124-122-115.dsl.lsan03.pacbell.net.1994 > my.firewall.com.1033: S 165920174:165920174(0) win 8192  (DF)

Comapring these two the outgoing traffic, I can correlate most of
these to outgoing connection attempts to these machine from out
network. That is, someone inside our network connects out to these
machines which then try to connect back in on 1033. However, the
outgoing connections are to a whole bunch of different TCP port
numbers and never to 1033/tcp.

I am having trouble figuring out what exactly they are looking for at
1033/tcp. My first concern was this was some kind of trojan or malware
phoning home and the remote controllers were trying to call back on
1033, but I've found no known trojans that listen on 1033. My other
suspicion is one of the zillion peer-to-peer file sharing protocols,
but again, no luck in finding one that uses 1033.

Anyone know what uses 1033/tcp? I've looked at all of the usual web
resources (please don't give out URLs of port lists unless you've
checked that the list does include 1033) and haven't found it.
-- 
Crist J. Clark                     |     cjclarkat_private
                                   |     cjclarkat_private
http://people.freebsd.org/~cjc/    |     cjcat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri May 31 2002 - 14:48:59 PDT