[lug] outgoing port 220 exploit?

Kevin Fenzi kevin at scrye.com
Tue Jan 20 13:38:10 MST 2004

Hash: SHA1

>>>>> "Jordan" == Jordan Crouse <jordan at cosmicpenguin.net> writes:

Jordan> On Tue, 20 Jan 2004 12:47:45 -0700
Jordan> Kevin Fenzi <kevin at scrye.com> wrote:

>> The packet comes in to port 6129 on your machines, and they have
>> setup their incoming packet so the reply goes back to port 220 on
>> the sending machine (in this case it should be a connection
>> refused, unless you are running DameWare).

Jordan> But incoming packets to 6129 will go to the bit bucket if
Jordan> there isn't anything running that will listen to them.

not quite in my understanding:

If the firewall isn't denying port 6129, the sequence will be
something like: 

tcp syn from randomip:220 -> hismachine:6129 (first part of tcp handshake)
tcp rst from hismachine:6129 -> randomip:220 (rst flag set, means
"connection refused")

So, that could result in a packet thats trapped by his outgoing
rules thats appearing to go to port 220 on random IP's. 

What happens if you add a specific rule to block port 6129?
Can you see if the RST flag is set on the packets you are seeing? (I
don't think ipchains will show you that, but iptables will). 

Jordan> He already said that nothing unusual is running, but it
Jordan> wouldn't hurt to try a nmap and see if anything pops up in
Jordan> that port range.

Yeah, or the fuser should show any listening processes for that port. 

Also, are there any windows machines on the local net? Perhaps one of
them is infected and hitting all the linux machines?

Jordan> Jordan


Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>


More information about the LUG mailing list