LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
From: Alan Kennington <akenning@dog.topology.org>
To : LinuxSA <linuxsa@linuxsa.org.au>
Date: Thu, 25 Nov 1999 20:36:33 +1030
linuxconf port 98 - huh?
Internet security experts:
Just today, for the first time in 12 months after setting
up my little network (a humble 66 MHz 486 with a 33.6k modem etc.),
I put in a certain kind of trap for hackers, after someone
last night made a concerted backing attempt via a machine they
hacked in Texas (archive.croute.com).
When I put in this little trip-wire, within a couple of hours,
I got something interesting: someone doing a port scan of
TCP port 98.
In /etc/services, there is a line right at the end saying:
============================================================
# End of services.
linuxconf 98/tcp # added by linuxconf RPM
============================================================
I already spend a huuuuuuge amount of time administering
a trivial network, due to all these would-be vandals
roaming around the net. So I'm reluctant to go trawling round
the zillions of documents etc. about linuxconf.
(There's no "man linuxconf".)
So could some generous person tell me why:
1. linuxconf feels the need to sit around waiting for
connections on port 98?
2. anyone would want to scan this port?
Is there some known vulnerability here?
Or are they just collecting stats for
scientific purposes?
Here's a summary of the tcpdump:
============================================================
20:00:33.150000 63.79.164.7.4050 > 203.38.148.49.98: S 893388591:893388591(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.150000 203.38.148.49.98 > 63.79.164.7.4050: R 0:0(0) ack 893388592 win 0
20:00:33.160000 63.79.164.7.4052 > 203.38.148.51.98: S 898309159:898309159(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.160000 203.38.148.51.98 > 63.79.164.7.4052: S 777842397:777842397(0) ack 898309160 win 32736 <mss 1460>
20:00:33.180000 63.79.164.7.4051 > 203.38.148.50.98: S 898014949:898014949(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.180000 203.38.148.51 > 63.79.164.7: icmp: host 203.38.148.50 unreachable [tos 0xc0]
20:00:33.200000 63.79.164.7.4053 > 203.38.148.52.98: S 889925529:889925529(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.200000 203.38.148.52.98 > 63.79.164.7.4053: R 0:0(0) ack 889925530 win 0
20:00:33.220000 63.79.164.7.4058 > 203.38.148.57.98: S 891398764:891398764(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.220000 63.79.164.7.4059 > 203.38.148.58.98: S 902523281:902523281(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.230000 63.79.164.7.4061 > 203.38.148.60.98: S 894766043:894766043(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.240000 63.79.164.7.4060 > 203.38.148.59.98: S 890566327:890566327(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.240000 63.79.164.7.4062 > 203.38.148.61.98: S 901405224:901405224(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.250000 63.79.164.7.4063 > 203.38.148.62.98: S 897722447:897722447(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.260000 63.79.164.7.4064 > 203.38.148.63.98: S 896190709:896190709(0) win 32120 <mss 1460,sackOK,timestamp 5733029 0,nop,wscale 0> (DF)
20:00:33.660000 63.79.164.7.4052 > 203.38.148.51.98: . ack 1 win 32120 (DF)
20:00:33.900000 63.79.164.7.4052 > 203.38.148.51.98: F 1:1(0) ack 1 win 32120 (DF)
20:00:33.900000 203.38.148.51.98 > 63.79.164.7.4052: . ack 2 win 32735 (DF)
20:00:35.830000 203.38.148.51.98 > 63.79.164.7.4052: F 1:1(0) ack 2 win 32736
20:00:36.120000 63.79.164.7.4058 > 203.38.148.57.98: S 891398764:891398764(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.130000 63.79.164.7.4059 > 203.38.148.58.98: S 902523281:902523281(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.140000 63.79.164.7.4060 > 203.38.148.59.98: S 890566327:890566327(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.160000 63.79.164.7.4049 > 203.38.148.48.98: S 892406226:892406226(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.170000 63.79.164.7.4061 > 203.38.148.60.98: S 894766043:894766043(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.170000 63.79.164.7.4054 > 203.38.148.53.98: S 895986283:895986283(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.170000 203.38.148.51 > 63.79.164.7: icmp: host 203.38.148.53 unreachable [tos 0xc0]
20:00:36.180000 63.79.164.7.4056 > 203.38.148.55.98: S 894311268:894311268(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.190000 63.79.164.7.4055 > 203.38.148.54.98: S 892607099:892607099(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.200000 63.79.164.7.4057 > 203.38.148.56.98: S 895679703:895679703(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.210000 63.79.164.7.4062 > 203.38.148.61.98: S 901405224:901405224(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.210000 63.79.164.7.4063 > 203.38.148.62.98: S 897722447:897722447(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.220000 63.79.164.7.4064 > 203.38.148.63.98: S 896190709:896190709(0) win 32120 <mss 1460,sackOK,timestamp 5733329 0,nop,wscale 0> (DF)
20:00:36.280000 63.79.164.7.4052 > 203.38.148.51.98: . ack 2 win 32120 (DF)
=================================================================
Boring, no?
TCP port 98 is now another port on my list of things
to close off.
Cheers,
Alan Kennington.
--------------------------------------------------------------------
name: Dr. Alan Kennington
e-mail: akenning@dog.topology.org
website: http://topology.org/
city: Adelaide, South Australia
coords: 34.89744 S, 138.58970 E
pgp-key: http://topology.org/key_ak1.asc
company: Topology Technology Australia Pty. Ltd.
ACN: 090 599 152
saying1: `The Internet is the parliament of the people.' ak 28/5/1999.
saying2: `Seek truth from facts.' mao or deng, 1970s?
saying3: `Let a 1000 flowers bloom, let a 1000 schools contend.' mao, 1970s?
saying4: `Cut down the tall poppies.' mao, a few months later.
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
Return to the LinuxSA Mailing List Information Page