|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
Date: Tue Dec 24 2002 - 00:33:59 EST
Hello All, it's my first post here.
I have a strange problem, which I've never seen before, and never even read about. I hope someone will be able to help me, because my every try to find it out by myself failed.
I scanned localhost TCP ports with nmap and I saw that there's a service listening which I should not have. When I did it once again, it was gone. I did few other scans, and there was nothing more than it should be, but I was already very suspicious.
I wanted to check out what is opening those ports, but
"netstat -tulp" or "lsof -i -n" never shows them (I
ran netstat and lsof with different options in long
loops many times, to make sure to see those ports,
even if they are open only for a fraction of a second,
but I never saw anything).
First I thought that it could be some strange nmap bug, so I tried other scanning methods, like netcat scan: "nc -vzw2 localhost 1-65535"
Netcat shows normally open ports as "localhost [127.0.0.1] 113 (auth) open" but these strange ports are reported as, e.g. "localhost [127.0.0.1] 4546 (?) : Connection reset by peer"
Here are other of my observations:
I ran nmap in a loop scanning TCP ports 1-10000 every
time (first it scanned 1-65535 but higher ports were
never open), and for 1000 ports found, there was 875
unique ones, with lowest 1036 and highest 4989, so
they look quite randomly distributed in this range.
It doesn't matter if I scan 128.0.0.1 or my temporary dialup IP, also other people scanning me remotely from the Internet are finding those strange not-quite-open ports.
So, this is pretty much everything I know.
I was searching the Web and trying to get some help on
IRC, but unfortunately no one knew what I was talking
about. All I've found was Max Gribov's problem, posted
here on Mar 26 2001, which seems to be the same as
what I have here:
http://lists.insecure.org/lists/incidents/2001/Mar/0256.html
There was one answer telling "You are seeing your own port scan and a clear demonstration why nmap to a localhost is not the best thing to do" which is not correct, because those ports are visible also on remote scans (and besides nmap looks for open listening ports and scanning doesn't open any ports for listening to incoming handshakes).
Other answer was "I have seen times where certain linux boxes running X windows will do that but nothing that frequent" but with no more info. Should I not worry, because my box seems to be just a certain Linux box running X, or maybe those certain Linux boxes had some problems other than just running X on Linux?
So, there actually was no meaningful answer to this question. If anyone knows where to look for the answer, please point me to any relevant text I should read.
Of course I'll be glad if anyone posts some quick method to fix it, however I'd rather RTFM and know what's going on, because I'm getting a little bit paranoid when I don't.
Was my system compromised? Is there some stealth backdoor listening on those random ports, which would open a normal TCP connection if only the source port and IP match the right values?
Something like "nc -lp 3333 127.0.0.1 3334" which would drop the connection from anywhere alse than 127.0.0.1:3334, but done in more fancy way, with a direct control over TCP/IP stack and the actual handshake? But if so, then why doesn't it look as a normal closed port? And why half-open SYN scan shows it as closed, unlike the full open TCP scan?
Such a netcat listening as above, is normally detected as open port by half-open SYN, stealth FIN, Xmas Tree, and Null scans, while being detected as open and being closed by TCP connect() scan. Here what I observed is totally different, I only suspect that those port could be possible to open from some attackers IP:port, but maybe I'm being too paranoid.
Half a year ago ago, my outdated Debian Potato box was compromised. Since then, I've read quite a few books and even more online texts about the systems and network security, and started to be extremely paranoid.
Now I have an up-to-date Debian 3.0 Woody stable release, with every security update and with no unneeded services listening. Almost every software is installed from official Debian Woody packages, the only thing I got in /usr/local is mplayer.
A remote login is impossible (it's my personal desktop
box with ppp dialup network connection, to which no
one has any access but me) and still I have long and
random passwords which crack and john are unable to
crack in weeks, having access to /etc/shadow. What
else can I do? I almost can hear Bruce Schneier saying
"Nothing, you're screwed." But really, is having
updated Debian stable as a desktop system not being
paranoid enough? I'm starting to loose any hope.
I really hope that someone will answer something like
"oh, this is only a bug in your kernel/library/etc."
but I have a bad feeling. Sorry for writing such a
long post, but I wanted to write everything I found
out myself about the problem, so you wouldn't have to
waste your time asking about things which I should
write in the first place and without which you're
unable to answer my questions.
Thanks a lot.
By the way, it's a really great list, I often find many things I need in the archives of this one and other SecurityFocus mailing lists. Thanks.
Marry Xmas and Happy new Year!
-Alfaentomega.
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Dec 24 12:11:14 2002
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |