[lug] how many ways to relay port 220?

[D. Stimits]

Bear Giles wrote:

> D. Stimits wrote:
>
> > I've even seen a hit now on a 2nd machine with a different version of
> > KRUD on it, whereby the machine local tcp port 6129 is trying to send
> > outbound to random (or seemingly so) port 220 tcp ports. I don't think
> > the machines are compromised (never know for sure till I figure
> > exactly what is going on).
>
>
> The thing that catches my eye is the seemingly fixed local port. With
> standard sockets programming you can only specify one port. Are you sure
> that there's no process sitting on port 6129?
>
I'm positive nothing is there. In fact I have noticed now 3 KRUD 
machines, 7.3, 8.0, and 9.0, all doing the same thing, and all 
intercepted and blocked by the firewall.

Partial detail now is that each machine will attempt to go outbound to 
the same port 220 ip address, using local port 6129. Each occurs 
regularly, but at different time offsets, e.g., maybe 5 minutes apart. 
It is as if networks are being scanned and when they reach the machine, 
it triggers.

One of the first things I have done is to check for altered files. I 
also have tried to find any process on port 6129 or 220, they don't seem 
to exist (I don't think this is local).

I am trying to find the inbound port hit, but if it isn't tcp or udp, it 
won't be easy. Take something like ARP, it is a huge mess of hits. I am 
also positive nothing is running on my local ports related to imap. 
Basically it is a waiting game, I have to silence all the packets I can 
from a machine and tcpdump all packets to the machine from the bridge, 
and hope the tcpdump sees the packet inbound at the moment the bridge 
blocks the outbound.

D. Stimits, stimits AT comcast DOT net