Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Odd ports...but non-incident

From: "Bob Hillery" <rhillery () tec nh us>
Date: Sun, 29 Jul 2001 20:14:25 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not exactly an incident (after checking it out), but it appears the
LinkSys cable router logging tool dynamically opens TCP & UDP low
ephemeral ports to connect w/ it's directory...which I didn't tell it
so the path for "put"-ing the log append is in the traffic.  PRESUMING
the LinkSys does it's job ("warning, Will Robinson!"), that won't be
seen outside unless the logging machine is also the DMZ or exposed by
forwarding (dumb).
  Note listening ports associated w/ LinkSys Log Viewer (from IOS
1.33.1 & usable in all subsequent IOS versions):

BEFORE Log Viewer active:
C:\WINDOWS>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:110          0.0.0.0:0              LISTENING
  TCP    192.168.205.2:137      0.0.0.0:0              LISTENING
  TCP    192.168.205.2:138      0.0.0.0:0              LISTENING
  TCP    192.168.205.2:139      0.0.0.0:0              LISTENING
  UDP    192.168.205.2:137      *:*
  UDP    192.168.205.2:138      *:*


AFTER Log Viewer active:
C:\WINDOWS>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:162            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1271           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:110          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1269         127.0.0.1:110          TIME_WAIT
  TCP    192.168.xxx.xxx:137      0.0.0.0:0              LISTENING
  TCP    192.168.xxx.xxx:138      0.0.0.0:0              LISTENING
  TCP    192.168.xxx.xxx:139      0.0.0.0:0              LISTENING
  UDP    0.0.0.0:162            *:*
  UDP    0.0.0.0:1271           *:*
  UDP    192.168.xxx.xxx:137      *:*
  UDP    192.168.xxx.xxx:138      *:*

BOTH TCP and UDP ports 162 and a low ephemeral (in this case 1271, but
have seen others based on what's next in the queue) are used.
162, is of course the SNMP trap which is used for the LinkSys logger. 
1271 (etc.) appears to be the log reporting/update/append port.  This
is "normal behavior" with the log viewer enabled.  It's also another
darned port opened, w/ dynamic assignment no less, that bears
watching.

Bob Hillery, GSEC, GCIA, etc...

 Quis custodiet ipsos custodes ?
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBO2Sm4eJ71YwUI+1rEQJf4ACg83uqFHU7Ggf07FIl81Ul+MQOSuEAn2LQ
SxtbbldwV+Ffa7uSwpBOBpEl
=7CVX
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: