In the past 2 hours I have captured over 18,000 packets attempting to initiate a connection on port 5168/TCP. All traffic is on my internal network. The machines orginating the traffic are Windows 2000 servers - one running SAP w/ Oracle and one running Citrix for development purposes only. In all but one case so far, the systems targeted have responded with a reset. The one that did respond opened a 'DCERPC' connection briefly and then closed the connection. From what I have found so far, DCERPC should only be listening on port 135. Source ports seem to be random. So far it looks to have hit every active address in the subnet I am sniffing. Below is a sample of the SYN packet being sent out. Any assistance in identifying this traffic would be greatly appreciated. 04/17-09:56:12.106932 0:D0:D3:35:D3:EC -> 0:4:75:CB:87:CF type:0x800 len:0x3E xxx.xxx.xxx.48:2720 -> xxx.xx.xxx.31:5168 TCP TTL:127 TOS:0x0 ID:21131 IpLen:20 DgmLe n:48 DF ******S* Seq: 0xE6169382 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK Thanks in advance, Duncan Molony ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 14:25:31 PDT