[lug] outgoing port 220 exploit?
David Anselmi
anselmi at anselmi.us
Tue Jan 20 14:51:37 MST 2004
D. Stimits wrote:
[...]
>
> I've tried lsof and netstat with -c, none show it. A failed connect
> takes all of about 50 milliseconds, so I'd have to hit it in that time.
> Anything taking a "snapshot", and not reading 100% of anything using the
> port 6129, or attempting outgoing 220, will fail.
I tried this on an iptables box using telnet. Even though the outgoing
SYN is blocked telnet (actually the IP stack I'd guess) does the usual
thing and sends several SYN packets. telnet has the socket open during
this time and it takes more than 5 seconds to time out. So it will show
up in lsof if you run it every 5 seconds.
If this traffic is coming from a malicious application it is possible it
isn't using the regular library calls (that's connect(), isn't it?). Or
using them in irregular ways. So if only one SYN packet goes out the
socket may be open less than 5 seconds.
BTW, where do you get 50ms from?
Sorry my suggestion wasn't useful.
Dave
More information about the LUG
mailing list