Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second

From: Pavel Kankovsky <peak(at)argo.troja.mff.cuni.cz>
Date: Thu Dec 26 2002 - 10:50:51 EST

On Mon, 23 Dec 2002, alfaentomega wrote:

> First I thought that they may be some ports, which are

Your local port range (/proc/sys/net/ipv4/ip_local_port_range) is 1024-5000, right? You are probably seeing some autobound sockets.

Hypothesis: one of the services listening on your machine opens a short-lived listening sockets on an automatically assigned port (ie. in 1024-5000 range) when it accepts a connection. This would explain why SYN scan does not trigger it but connect() scan does.

Try this:
  for each port p in 1-1023

     perform a connect() scan of p and 1024-5000

Only a small set of p, perhaps a single value of p--the hypothetic offending service (see above)--should make the mysterious listening port appear.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Dec 27 11:55:45 2002