[lug] RFI packet log deny message

Greg Horne jeerygh at hotmail.com
Wed Oct 24 12:59:29 MDT 2001 

Here is list of well known trojan ports.  32897 wasn't listed, but that 
doesn't rule it out.

http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

Greg


>From: "D. Stimits" <stimits at idcomm.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] RFI packet log deny message
>Date: Tue, 23 Oct 2001 23:17:41 -0600
>
>B O'Fallon wrote:
> >
> > Hello,
> >
> > I was looking at my root mail tonight and noticed the following:
> >
> >      Oct 23 21:56:11 mudhen kernel: Packet log: input DENY eth0
> >      PROTO=6
> >      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=21355 F=0x4000
> >      T=51 SYN
> >      (#59)
> >
> >      Oct 23 21:56:20 mudhen kernel: Packet log: input DENY eth0
> >      PROTO=6
> >      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=41627 F=0x4000
> >      T=51 SYN
> >      (#59)
> >
> >      Oct 23 21:56:32 mudhen kernel: Packet log: input DENY eth0
> >      PROTO=6
> >      152.2.210.121:20 10.0.0.3:32897 L=60 S=0x00 I=3142 F=0x4000
> >      T=51 SYN
> >      (#59)
> >
> > nslookup revealed that 152.2.210.121 is latinhouse.metalab.unc.edu. I
> > wasn't doing anything with them that I know of.
> >
> > 10.0.0.3 is address assigned to my ethernet card by the NAT feature of
> > my Cisco 675.
> >
> > Could someone explain what this is? Is someone at unc probing the ftp
> > port of the ipaddress for my cisco and it is getting passed through to
> > the firewall I am running on 10.0.0.3?
>
>Proto 6 means TCP, so spoofing is less likely (rather unlikely in any
>case but DoS where TCP).
>
>They originated their request from port 20, it was not the destination.
>They got to your mudhen machine. Is mudhen 10.0.0.3? Or is 10.0.0.3
>something mudhen forwards to? If 10.0.0.3 *IS* mudhen, then they got to
>this internal IP via your NAT. If mudhen merely forwards to 10.0.0.3,
>then they stopped at mudhen.
>
>I don't know what your NAT rules are. Are particular ports dedicated to
>forwarding to 10.0.0.3? If not, then it likely means a process located
>at 10.0.0.3 sent a request to 152.2.210.121, and just happened to reply
>to that port 32897. Not sure, maybe someone knows if 32897 is a known
>trojan port? In any case, unless NAT has preassigned port schemes, then
>10.0.0.3 had to originate a request in order for the NAT to know which
>machine it goes to. The input chain killed the request.
>
>D. Stimits, stimits at idcomm.com
>
> >
> > Thanx.
> >
> > BOF
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

More information about the LUG mailing list