[lug] outgoing port 220 exploit?

D. Stimits stimits at comcast.net
Tue Jan 20 14:55:10 MST 2004


Kevin Fenzi wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> >>>>>"Jordan" == Jordan Crouse  writes:
>
>
> Jordan> On Tue, 20 Jan 2004 12:47:45 -0700
> Jordan> Kevin Fenzi  wrote:
>
>
> >>The packet comes in to port 6129 on your machines, and they have
> >>setup their incoming packet so the reply goes back to port 220 on
> >>the sending machine (in this case it should be a connection
> >>refused, unless you are running DameWare).
>
>
> Jordan> But incoming packets to 6129 will go to the bit bucket if
> Jordan> there isn't anything running that will listen to them.
>
> not quite in my understanding:
>
> If the firewall isn't denying port 6129, the sequence will be
> something like:
>
> tcp syn from randomip:220 -> hismachine:6129 (first part of tcp handshake)
> tcp rst from hismachine:6129 -> randomip:220 (rst flag set, means
> "connection refused")
>
> So, that could result in a packet thats trapped by his outgoing
> rules thats appearing to go to port 220 on random IP's.


This is what I think is happening, but as a variation. I think 
forwarding that I can't find is going on. Though I'm not configured to 
forward. Port 6129 is local machine during local attempt to send out to 
220. 220 is destination. I do not know what incoming port is hit during 
that moment.

>
> What happens if you add a specific rule to block port 6129?
> Can you see if the RST flag is set on the packets you are seeing? (I
> don't think ipchains will show you that, but iptables will).

Port 6129 is not the inbound port. I've blocked this and logged it both 
locally and on the transparent bridge firewall. Neither finds 6129 
except during outgoing attempts to reach 220 (which are also blocked).

>
> Jordan> He already said that nothing unusual is running, but it
> Jordan> wouldn't hurt to try a nmap and see if anything pops up in
> Jordan> that port range.
>
> Yeah, or the fuser should show any listening processes for that port.

fuser and lsof and netstat do not show the outgoing. Remember that 
whatever is relaying or otherwise doing this exists only for the length 
of a denied packet. If it is a forward via kernel, then no process will 
even show up. I can guarantee nothing is listening on my local 6129.

>
> Also, are there any windows machines on the local net? Perhaps one of
> them is infected and hitting all the linux machines?

There are win machines, but none are running at the time of testing. 
When win machines are on I see their ARP traffic.

D. Stimits, stimits AT comcast DOT net




More information about the LUG mailing list