Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: RE: Port 788 (Was: hitting the "on" switch)

RE: Port 788 (Was: hitting the "on" switch)

From: Giesinger, Nick HE0 <ngiesing_at_health.gov.sk.ca>
Date: Fri, 19 Sep 1997 09:21:07 -0600

It appears that the 788 is a mask, the source is originating a poke at
starting a custom port. We have a firewall that proxies to web and uses
a port over the 1000 to track which proxy goes where. The site that our
proxies are going to would see packets coming from our ip G.H.I.K (1000)
to their ip Q.R.S.T(80). I would not worry about the source.

What I would ask is way are they picking random destination ports? I
think that the answer would be that they are fishing for a response. We
have custom ports that we allow our "Extranet" users to come in on. I
would suspect that "they" are poking around looking for a response.

Nick Giesinger
SHL SystemHouse LTD

        -----Original Message-----
        From: kees_at_echelon.nl [SMTP:kees_at_echelon.nl]
        Sent: Thursday, September 18, 1997 3:40 PM
        To: firewall-wizards_at_nfr.net
        Subject: Port 788 (Was: hitting the "on" switch)

        Marcus J. Ranum wrote:

> Anyhow, welcome to the list. The floor is yours.

        Thank you :-)

        I'm puzzled by the following log entries from my Cisco (edited):

        Sep 3 21:46:13 tcp A.B.C.D(788) -> Z.Z.Z.116(2148), 1 packet
        Sep 5 05:05:50 tcp A.B.C.D(788) -> Z.Z.Z.116(1596), 1 packet
        Sep 5 18:35:16 tcp A.B.C.D(788) -> Z.Z.Z.116(1564), 1 packet
        Sep 7 01:37:53 tcp A.B.C.D(788) -> Z.Z.Z.116(2144), 1 packet
        Sep 7 08:30:54 tcp A.B.C.D(788) -> Z.Z.Z.116(2488), 1 packet
        Sep 7 23:07:25 tcp A.B.C.D(788) -> Z.Z.Z.116(2336), 1 packet
        Sep 8 05:35:11 tcp A.B.C.D(788) -> Z.Z.Z.116(1600), 1 packet
        Sep 8 06:08:53 tcp A.B.C.D(788) -> Z.Z.Z.116(1540), 1 packet
        Sep 9 01:32:47 tcp E.F.G.H(788) -> Z.Z.Z.116(1560), 1 packet
        Sep 9 01:38:37 tcp E.F.G.H(788) -> Z.Z.Z.116(1560), 1 packet
        Sep 9 19:56:37 tcp A.B.C.D(788) -> Z.Z.Z.116(1752), 1 packet
        Sep 10 03:31:47 tcp A.B.C.D(788) -> Z.Z.Z.116(2396), 1 packet

        In July and August only A.B.C.D was sending these packets; now I
have
        two of them. Any ideas what these guys are trying to do? As far
as I
        know, there are no well-known services using port 788.
        By the way, Z.Z.Z.116 has never been in active use.

        --
        Kees Hendrikse | email:
kees_at_echelon.nl
                                                     |
        ECHELON consultancy and software development | phone: +31 (0)53
48 36 585
        PO Box 545, 7500AM Enschede, The Netherlands | fax: +31 (0)53
43 37 415
Received on Sep 19 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos