I use a modem connection, which usually lasts few minutes, and of course, on different IP numbers each time. However, these days I'm observing an unusual number of failed attempts to enter my PC (what for, I wonder?). Usually they go to port 137 (Netbios), some to ident, but recently I'm seeing attempts to port 5327 from different hosts. What the h**k is port 5327 used for? It is not listed in /etc/services. Usually, the firewall reject them, but you can see in the log below it accepted some packets (although there was no response, according to iptraf), and that worries me a little. Why some times the firewall accepts them, and some times reject them? (that's the OT question O:-) by the way) Dec 4 21:37:57 nimrodel ip-up.local: --> Up ppp0 /dev/ttyS1 115200 Local: 213.99.178.120 Remote: 193.152.21.236 Par: (it took less than 10 seconds after connection went up to start!) Dec 4 21:38:06 nimrodel kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=51122 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:38:06 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=51122 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:38:30 nimrodel kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=51123 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:38:30 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=51123 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:39:23 nimrodel kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=5369 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:39:23 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=5369 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:40:15 nimrodel kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=61619 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:40:15 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=213.99.178.120 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=61619 DF PROTO=TCP SPT=42574 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 4 21:40:24 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=210.65.61.71 DST=213.99.178.120 LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=18190 PROTO=UDP SPT=1031 DPT=137 LEN=58 Dec 4 21:42:12 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=67.25.69.234 DST=213.99.178.120 LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=28602 PROTO=UDP SPT=1028 DPT=137 LEN=58 -- Cheers, Carlos Robinson
On Thursday 05 December 2002 00.51, Carlos E. R. wrote:
I use a modem connection, which usually lasts few minutes, and of course, on different IP numbers each time. However, these days I'm observing an unusual number of failed attempts to enter my PC (what for, I wonder?). Usually they go to port 137 (Netbios), some to ident, but recently I'm seeing attempts to port 5327 from different hosts.
What the h**k is port 5327 used for? It is not listed in /etc/services.
The only other instances I can find in a google search are also from people in Spain. They say it's their ISP that scans the port. Could that be true in your case also? Could it be that you all have the same ISP, and that you were issued some windows based software that listens on that port?! Just a thought. 193.152.43.8 belongs to Telefonica De Espana SAU, Red de servicios IP, Spain
Usually, the firewall reject them, but you can see in the log below it accepted some packets (although there was no response, according to iptraf), and that worries me a little. Why some times the firewall accepts them, and some times reject them? (that's the OT question O:-) by the way)
Do you have examples of port 5327 being REJECTed? From the log you posted it just looks like you're allowing high ports in your firewall, but blocking the low ports. Nothing surprising there, most firewalls separate ports < 1024 and ports >=1024. The former are supposed to be used by services, while the latter are supposed to be used by user programs. It's not really true anymore, but the distinction lives on, especially in unix based systems.
The 02.12.05 at 01:47, Anders Johansson wrote:
The only other instances I can find in a google search are also from people in Spain. They say it's their ISP that scans the port. Could that be true in your case also? Could it be that you all have the same ISP, and that you were issued some windows based software that listens on that port?! Just a thought.
Well, I'm not running any windows software, but yes, most attempts come from IPs assigned to that provider, but to clients like me. But some come from all around the world, it depends on the hour. Now that you say... yes, most attempts to that port come form IPs from my provider. Yes, that must be it, I'm close to them. That explains it.
Usually, the firewall reject them, but you can see in the log below it accepted some packets (although there was no response, according to iptraf), and that worries me a little. Why some times the firewall accepts them, and some times reject them? (that's the OT question O:-) by the way)
Do you have examples of port 5327 being REJECTed? From the log you posted it just looks like you're allowing high ports in your firewall, but blocking the low ports.
That's right. But I thought "SuSE-FW-DROP-DEFAULT" meant rejected, or at least, ignored. In fact, these are my rules for high ports: FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" -- Cheers, Carlos Robinson
I use a modem connection, which usually lasts few minutes, and of course, on different IP numbers each time. However, these days I'm observing an unusual number of failed attempts to enter my PC (what for, I wonder?). Usually they go to port 137 (Netbios), some to ident, but recently I'm seeing attempts to port 5327 from different hosts.
Not script kiddies one netbios is just nimda doing its rounds 5327 I'm not sure Everyone I know has multiple probes and connection attempts due to Worms/robots. Just keep an I out and not stress it. The connection attepts To look out for are multiple attempts on different ports from the same network.
On Thu, 5 Dec 2002 00:51:33 +0100 (CET) "Carlos E. R." <robin1.listas@tiscali.es> wrote:
I use a modem connection, which usually lasts few minutes, and of course, on different IP numbers each time. However, these days I'm observing an unusual number of failed attempts to enter my PC (what for, I wonder?). Usually they go to port 137 (Netbios), some to ident, but recently I'm seeing attempts to port 5327 from different hosts.
What the h**k is port 5327 used for? It is not listed in /etc/services. Usually, the firewall reject them, but you can see in the log below it accepted some packets (although there was no response, according to
Why don't you run something like ethereal for a bit, and look at what all those packets are? -- use Perl; #powerful programmable prestidigitation
The 02.12.05 at 10:00, zentara wrote:
What the h**k is port 5327 used for? It is not listed in /etc/services. Usually, the firewall reject them, but you can see in the log below it accepted some packets (although there was no response, according to
Why don't you run something like ethereal for a bit, and look at what all those packets are?
Gosh, nice program! I installed it time ago, meaning to try it, but I forgot. Couldn't convince sux to run it right now, though, I had to run an alternate xwindows session for root (startx -- :1). Astonishing the amount of passwords in clear that go out (pop3), I was unaware of that :-( Now I'll have to study the result, I have it running as I write this, 8 minutes now, and I have got some "attempts". [...] They seem to come in pairs, one accepted by the firewall, and the next one (same second) dropped. Interestingly, ethereal doesn't see the dropped ones. However, it does log netbios attempts, which are also dropped by the firewall. Here, this is a printout of one packet (for curiosity sake only, as I suppose its way off topic) - but it seems ethereal is not aware of what this port is used for, it does not recognize the protocol: Frame 92 (62 on wire, 62 captured) Arrival Time: Dec 7, 2002 16:15:34.076686000 Time delta from previous packet: 0.046916000 seconds Time relative to first packet: 11.289963000 seconds Frame Number: 92 Packet Length: 62 bytes Capture Length: 62 bytes Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 512 Link-layer address length: 0 Source: <MISSING> Protocol: IP (0x0800) Trailer: 0000 Internet Protocol, Src Addr: ssaflo3.nombres.ttd.es (193.152.43.8), Dst Addr: 213-99-172-164.uc.nombres.ttd.es (213.99.172.164) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 44 Identification: 0x6dda Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 252 Protocol: TCP (0x06) Header checksum: 0xa248 (correct) Source: ssaflo3.nombres.ttd.es (193.152.43.8) Destination: 213-99-172-164.uc.nombres.ttd.es (213.99.172.164) Transmission Control Protocol, Src Port: 39840 (39840), Dst Port: 5327 (5327), Seq: 601107144, Ack: 0, Len: 0 Source port: 39840 (39840) Destination port: 5327 (5327) Sequence number: 601107144 Header length: 24 bytes Flags: 0x0002 (SYN) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Window size: 8760 Checksum: 0x083a (correct) Options: (4 bytes) Maximum segment size: 1460 bytes 0000 00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00 ................ 0010 45 00 00 2c 6d da 40 00 fc 06 a2 48 c1 98 2b 08 E..,m.@....H..+. 0020 d5 63 ac a4 9b a0 14 cf 23 d4 2a c8 00 00 00 00 .c......#.*..... 0030 60 02 22 38 08 3a 00 00 02 04 05 b4 00 00 `."8.:........ -- Cheers, Carlos Robinson
On Sat, 7 Dec 2002 21:42:40 +0100 (CET) "Carlos E. R." <robin1.listas@tiscali.es> wrote:
The 02.12.05 at 10:00, zentara wrote:
Why don't you run something like ethereal for a bit, and look at what all those packets are?
Gosh, nice program! I installed it time ago, meaning to try it, but I forgot. Couldn't convince sux to run it right now, though, I had to run an alternate xwindows session for root (startx -- :1). Astonishing the amount of passwords in clear that go out (pop3), I was unaware of that :-(
Yeah, I had trouble getting a user to run it too. sudo didn't seem to want to work with it. :-( Yeah, it's a real eye-opener to see all those passwords. You gotta figure the NSA has them all filtered out and stored away. I wonder what you are going to uncover? Maybe some super-secret anti-terrorist backdoor? heh,heh. -- use Perl; #powerful programmable prestidigitation
The 02.12.07 at 18:25, zentara wrote:
Gosh, nice program! I installed it time ago, meaning to try it, but I forgot. Couldn't convince sux to run it right now, though, I had to run an alternate xwindows session for root (startx -- :1). Astonishing the amount of passwords in clear that go out (pop3), I was unaware of that :-(
Yeah, I had trouble getting a user to run it too. sudo didn't seem to want to work with it. :-(
I convinced sux to run it later. I have to type: sux -c /usr/X11R6/bin/ethereal on a console (don't use "&" at the end). I wonder if making ethereal suid would work :-?
Yeah, it's a real eye-opener to see all those passwords. You gotta figure the NSA has them all filtered out and stored away.
I thought mail servers used challenge/response methods that do not need the password to be sent... No, I'm mistaken, that is PAP/CHAP for ppp, not for pop3. I think only one of my mail servers uses such a method, tiscali in fact (Capabilities: SASL CRAM-MD5 DIGEST-MD5 PLAIN). Another says "CAPABILITY STARTTLS IMAP4 IMAP4rev1 LITERAL+ AUTH=LOGIN AUTH=PLAIN AUTH=EXTERNAL", meaning plain password :-( Of course, the messages themselves travel in clear, but if somebody gets my password he may steal my messages, or impersonate me.
I wonder what you are going to uncover? Maybe some super-secret anti-terrorist backdoor? heh,heh.
Yeah, sure X'-) That reminds me: once there were some people that intentionally included sentences like "kill the president" in all the messages, so as to get them tracked, and be a nuissance :-) In fact, what all that tracking may, and does, serve is for industrial and bussines spionage, by some countries on other countries. Any people involved in real subsersive work will use really sofisticated methods, like in the movies or John Le Carre novels. -- Cheers, Carlos Robinson
On Sun, 8 Dec 2002 04:07:17 +0100 (CET) "Carlos E. R." <robin1.listas@tiscali.es> wrote:
The 02.12.07 at 18:25, zentara wrote:
Yeah, I had trouble getting a user to run it too. sudo didn't seem to want to work with it. :-(
I convinced sux to run it later. I have to type:
sux -c /usr/X11R6/bin/ethereal
Yeah, that's because the path for root is real limited when you run sux.
I thought mail servers used challenge/response methods that do not need the password to be sent... No, I'm mistaken, that is PAP/CHAP for ppp, not for pop3. I think only one of my mail servers uses such a method, tiscali in fact (Capabilities: SASL CRAM-MD5 DIGEST-MD5 PLAIN). Another says "CAPABILITY STARTTLS IMAP4 IMAP4rev1 LITERAL+ AUTH=LOGIN AUTH=PLAIN AUTH=EXTERNAL", meaning plain password :-(
APOP does encrypt passwords, but not many ISP's use it. qpopper has APOP ability built-in and it works fine. I don't know why more ISP's don't allow it?
Of course, the messages themselves travel in clear, but if somebody gets my password he may steal my messages, or impersonate me.
Well the ISP's can still trace the origin of mails to the IP number who originated it, so it is wise to have a pop3 password that is different from your logon password. All this sloppiness in clear text passwords, will make it difficult for anyone to prove anything in court regarding emails, unless they have all the logon records, and phone logs.
In fact, what all that tracking may, and does, serve is for industrial and bussines spionage, by some countries on other countries. Any people involved in real subsersive work will use really sofisticated methods, like in the movies or John Le Carre novels.
I don't know about that anymore. There is a new government program here in the US, that wants to track each and every purchase you make online. Something about "anti-terrorism". I've learned 1 thing about the government, they only talk about it, 20 years after they've already done it. So they've probably been tracking all net traffic and scanning it for years. -- use Perl; #powerful programmable prestidigitation
participants (4)
-
Anders Johansson -
Carlos E. R. -
Rowan Reid -
zentara