port 113 hits

Discussion in 'Computer Security' started by reshman, Oct 17, 2003.

  1. reshman

    reshman Guest

    Anyone have any ideas why I would be seeing hits directed to my on port
    113 -- all around the same time? Would this have anything to do with doing
    a make for a port out of the ports package???

    Thanks!

    -Mike

    21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
    3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556088
    0,nop,wscale 0> (DF)
    21:49:28.434534 204.152.189.120.36950 > x.x.x.x.113: SWE
    3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556388
    0,nop,wscale 0> (DF)
    21:49:34.437467 204.152.189.120.36950 > x.x.x.x.113: SWE
    3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556988
    0,nop,wscale 0> (DF)
    21:49:52.223520 212.50.10.144.51429 > x.x.x.x.113: S
    2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334979793
    0,nop,wscale 0> (DF) [tos
    0x80]
    21:49:55.215158 212.50.10.144.51429 > x.x.x.x.113: S
    2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980093
    0,nop,wscale 0> (DF) [tos
    0x80]
    21:50:01.214326 212.50.10.144.51429 > x.x.x.x.113: S
    2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980693
    0,nop,wscale 0> (DF) [tos
    0x80]
    21:50:08.110055 200.89.74.17.1288 > x.x.x.x.113: S 3341661485:3341661485(0)
    win 5840 <mss 1380,sackOK,timestamp 536892450 0,nop,wscale 0> (DF)
    21:50:11.107743 200.89.74.17.1288 > x.x.x.x.113: S 3341661485:3341661485(0)
    win 5840 <mss 1380,sackOK,timestamp 536892750 0,nop,wscale 0> (DF)
    21:50:17.107070 200.89.74.17.1288 > x.x.x.x.113: S 3341661485:3341661485(0)
    win 5840 <mss 1380,sackOK,timestamp 536893350 0,nop,wscale 0> (DF)
    21:50:31.272679 195.113.161.73.35431 > x.x.x.x.113: SWE
    1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143467926
    0,nop,wscale 0> (DF)
    21:50:34.271355 195.113.161.73.35431 > x.x.x.x.113: SWE
    1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468226
    0,nop,wscale 0> (DF)
    21:50:40.272963 195.113.161.73.35431 > x.x.x.x.113: SWE
    1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468826
    0,nop,wscale 0> (DF)
    21:50:50.507109 194.192.187.79.48444 > x.x.x.x.113: S
    4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541401740
    0,nop,wscale 0> (DF)
    21:50:53.503095 194.192.187.79.48444 > x.x.x.x.113: S
    4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402040
    0,nop,wscale 0> (DF)
    21:50:59.501702 194.192.187.79.48444 > x.x.x.x.113: S
    4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402640
    0,nop,wscale 0> (DF)
    21:51:04.856518 150.244.30.38.38896 > x.x.x.x.113: SWE
    3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92006782
    0,nop,wscale 1> (DF)
    21:51:07.854746 150.244.30.38.38896 > x.x.x.x.113: SWE
    3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007082
    0,nop,wscale 1> (DF)
    21:51:13.853151 150.244.30.38.38896 > x.x.x.x.113: SWE
    3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007682
    0,nop,wscale 1> (DF)
    21:51:19.770478 212.27.32.66.45304 > x.x.x.x.113: S 2373501279:2373501279(0)
    win 5840 <mss 1460,sackOK,timestamp 135424502 0,nop,wscale 0> (DF)
    21:51:22.765533 212.27.32.66.45304 > x.x.x.x.113: S 2373501279:2373501279(0)
    win 5840 <mss 1460,sackOK,timestamp 135424802 0,nop,wscale 0> (DF)
    21:51:28.763736 212.27.32.66.45304 > x.x.x.x.113: S 2373501279:2373501279(0)
    win 5840 <mss 1460,sackOK,timestamp 135425402 0,nop,wscale 0> (DF)
    21:52:57.302026 130.239.18.137.33709 > x.x.x.x.113: S
    2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale 2,nop,nop,timestamp
    1068794865 0>
    21:53:03.217878 130.239.18.137.33709 > x.x.x.x.113: S
    2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale 2,nop,nop,timestamp
    1068794876 0>
    21:53:09.977973 164.8.6.249.37812 > x.x.x.x.113: S 1734835097:1734835097(0)
    win 5840 <mss 1460,sackOK,timestamp 99930917 0,nop,wscale 0> (DF)
    21:53:12.970276 164.8.6.249.37812 > x.x.x.x.113: S 1734835097:1734835097(0)
    win 5840 <mss 1460,sackOK,timestamp 99931217 0,nop,wscale 0> (DF)
    21:53:27.671416 203.8.116.111.53094 > x.x.x.x.113: SWE
    3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950438
    0,nop,wscale 0> (DF)
    21:53:30.666828 203.8.116.111.53094 > x.x.x.x.113: SWE
    3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950738
    0,nop,wscale 0> (DF)
    21:53:36.665948 203.8.116.111.53094 > x.x.x.x.113: SWE
    3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515951338
    0,nop,wscale 0> (DF)
    21:56:17.252274 200.203.120.200.1649 > x.x.x.x.1434: udp 376
    22:05:56.676950 128.121.116.162.4479 > x.x.x.x.113: S
    3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    22:05:59.668883 128.121.116.162.4479 > x.x.x.x.113: S
    3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    22:06:02.668756 128.121.116.162.4479 > x.x.x.x.113: S
    3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
    3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    reshman, Oct 17, 2003
    #1
    1. Advertising

  2. reshman

    Vanguard Guest

    Port 133 is for IDENT/auth protocol. Some old mail servers still use it
    and why routers might not stealth that port (because they don't want to
    be known as incompatible with e-mail). My router will even ignore a
    firewall defined within it to BLOCK on that port; http://grc.com
    Shield's Up still detected the port. I had to define port 113 went to a
    host that doesn't exist (and can never exist because the router's DHCP
    server can never assigned that IP address). Basically I defined a
    virtual server that doesn't exist so any IDENT/auth request vapories
    into a bit bucket. See http://grc.com/port_113.htm. Sounds like
    someone is probing around to see if you run an ident server and will
    report yourself to the probe.

    --
    ____________________________________________________________
    *** Post replies to newsgroup. E-mail is not accepted. ***
    ____________________________________________________________


    "reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
    news:...
    > Anyone have any ideas why I would be seeing hits directed to my on

    port
    > 113 -- all around the same time? Would this have anything to do with

    doing
    > a make for a port out of the ports package???
    >
    > Thanks!
    >
    > -Mike
    >
    > 21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp

    1583556088
    > 0,nop,wscale 0> (DF)
    > 21:49:28.434534 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp

    1583556388
    > 0,nop,wscale 0> (DF)
    > 21:49:34.437467 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp

    1583556988
    > 0,nop,wscale 0> (DF)
    > 21:49:52.223520 212.50.10.144.51429 > x.x.x.x.113: S
    > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334979793
    > 0,nop,wscale 0> (DF) [tos
    > 0x80]
    > 21:49:55.215158 212.50.10.144.51429 > x.x.x.x.113: S
    > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980093
    > 0,nop,wscale 0> (DF) [tos
    > 0x80]
    > 21:50:01.214326 212.50.10.144.51429 > x.x.x.x.113: S
    > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980693
    > 0,nop,wscale 0> (DF) [tos
    > 0x80]
    > 21:50:08.110055 200.89.74.17.1288 > x.x.x.x.113: S

    3341661485:3341661485(0)
    > win 5840 <mss 1380,sackOK,timestamp 536892450 0,nop,wscale 0> (DF)
    > 21:50:11.107743 200.89.74.17.1288 > x.x.x.x.113: S

    3341661485:3341661485(0)
    > win 5840 <mss 1380,sackOK,timestamp 536892750 0,nop,wscale 0> (DF)
    > 21:50:17.107070 200.89.74.17.1288 > x.x.x.x.113: S

    3341661485:3341661485(0)
    > win 5840 <mss 1380,sackOK,timestamp 536893350 0,nop,wscale 0> (DF)
    > 21:50:31.272679 195.113.161.73.35431 > x.x.x.x.113: SWE
    > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143467926
    > 0,nop,wscale 0> (DF)
    > 21:50:34.271355 195.113.161.73.35431 > x.x.x.x.113: SWE
    > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468226
    > 0,nop,wscale 0> (DF)
    > 21:50:40.272963 195.113.161.73.35431 > x.x.x.x.113: SWE
    > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468826
    > 0,nop,wscale 0> (DF)
    > 21:50:50.507109 194.192.187.79.48444 > x.x.x.x.113: S
    > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541401740
    > 0,nop,wscale 0> (DF)
    > 21:50:53.503095 194.192.187.79.48444 > x.x.x.x.113: S
    > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402040
    > 0,nop,wscale 0> (DF)
    > 21:50:59.501702 194.192.187.79.48444 > x.x.x.x.113: S
    > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402640
    > 0,nop,wscale 0> (DF)
    > 21:51:04.856518 150.244.30.38.38896 > x.x.x.x.113: SWE
    > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92006782
    > 0,nop,wscale 1> (DF)
    > 21:51:07.854746 150.244.30.38.38896 > x.x.x.x.113: SWE
    > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007082
    > 0,nop,wscale 1> (DF)
    > 21:51:13.853151 150.244.30.38.38896 > x.x.x.x.113: SWE
    > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007682
    > 0,nop,wscale 1> (DF)
    > 21:51:19.770478 212.27.32.66.45304 > x.x.x.x.113: S

    2373501279:2373501279(0)
    > win 5840 <mss 1460,sackOK,timestamp 135424502 0,nop,wscale 0> (DF)
    > 21:51:22.765533 212.27.32.66.45304 > x.x.x.x.113: S

    2373501279:2373501279(0)
    > win 5840 <mss 1460,sackOK,timestamp 135424802 0,nop,wscale 0> (DF)
    > 21:51:28.763736 212.27.32.66.45304 > x.x.x.x.113: S

    2373501279:2373501279(0)
    > win 5840 <mss 1460,sackOK,timestamp 135425402 0,nop,wscale 0> (DF)
    > 21:52:57.302026 130.239.18.137.33709 > x.x.x.x.113: S
    > 2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale

    2,nop,nop,timestamp
    > 1068794865 0>
    > 21:53:03.217878 130.239.18.137.33709 > x.x.x.x.113: S
    > 2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale

    2,nop,nop,timestamp
    > 1068794876 0>
    > 21:53:09.977973 164.8.6.249.37812 > x.x.x.x.113: S

    1734835097:1734835097(0)
    > win 5840 <mss 1460,sackOK,timestamp 99930917 0,nop,wscale 0> (DF)
    > 21:53:12.970276 164.8.6.249.37812 > x.x.x.x.113: S

    1734835097:1734835097(0)
    > win 5840 <mss 1460,sackOK,timestamp 99931217 0,nop,wscale 0> (DF)
    > 21:53:27.671416 203.8.116.111.53094 > x.x.x.x.113: SWE
    > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950438
    > 0,nop,wscale 0> (DF)
    > 21:53:30.666828 203.8.116.111.53094 > x.x.x.x.113: SWE
    > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950738
    > 0,nop,wscale 0> (DF)
    > 21:53:36.665948 203.8.116.111.53094 > x.x.x.x.113: SWE
    > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515951338
    > 0,nop,wscale 0> (DF)
    > 21:56:17.252274 200.203.120.200.1649 > x.x.x.x.1434: udp 376
    > 22:05:56.676950 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > 22:05:59.668883 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > 22:06:02.668756 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > 22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    >
    >
    Vanguard, Oct 17, 2003
    #2
    1. Advertising

  3. Mike,

    As someone else pointed out, port 113 is your ident server's port. The
    most common reasons that your ident server would be probed would be either
    a) as part of a general, overall port scan, or b) you're connecting to an
    IRC server.

    Because all of these hits were at roughly the same time, it's unlikely
    that they're part of a port scan. Do you use a program such as Trillian to
    connect to multiple IRC servers?

    It may also be a DDoS attempt, but that's doubtful at best.

    --Donald

    "reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
    news:...
    > Anyone have any ideas why I would be seeing hits directed to my on port
    > 113 -- all around the same time? Would this have anything to do with

    doing
    > a make for a port out of the ports package???
    >
    > Thanks!
    >
    > -Mike
    >
    > 21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556088

    <log snipped>
    > 22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    Donald Jacobsen, Oct 17, 2003
    #3
  4. reshman

    reshman Guest

    That's the odd thing -- I don't use IRC or any such application. And the
    addresses listed resolve to a bunch of debian-related sites (at least based
    on the names).

    The only thing I had going on at the time was installing a port out of the
    ports package, which would have been invoking FTPs to the necessary sites.

    Weird.....

    Thanks for your feedback.

    -Mike

    "Donald Jacobsen" <> wrote in message
    news:yqTjb.8395$...
    > Mike,
    >
    > As someone else pointed out, port 113 is your ident server's port. The
    > most common reasons that your ident server would be probed would be either
    > a) as part of a general, overall port scan, or b) you're connecting to an
    > IRC server.
    >
    > Because all of these hits were at roughly the same time, it's unlikely
    > that they're part of a port scan. Do you use a program such as Trillian to
    > connect to multiple IRC servers?
    >
    > It may also be a DDoS attempt, but that's doubtful at best.
    >
    > --Donald
    >
    > "reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
    > news:...
    > > Anyone have any ideas why I would be seeing hits directed to my on port
    > > 113 -- all around the same time? Would this have anything to do with

    > doing
    > > a make for a port out of the ports package???
    > >
    > > Thanks!
    > >
    > > -Mike
    > >
    > > 21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
    > > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556088

    > <log snipped>
    > > 22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
    > > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)

    >
    >
    reshman, Oct 17, 2003
    #4
  5. reshman

    Tommy Guest

    reshman wrote:

    > Anyone have any ideas why I would be seeing hits directed to my on port
    > 113 -- all around the same time? Would this have anything to do with
    > doing a make for a port out of the ports package???
    >
    > Thanks!
    >
    > -Mike


    What O/S are you using?

    > 21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556088
    > 0,nop,wscale 0> (DF)
    > 21:49:28.434534 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556388
    > 0,nop,wscale 0> (DF)
    > 21:49:34.437467 204.152.189.120.36950 > x.x.x.x.113: SWE
    > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556988
    > 0,nop,wscale 0> (DF)
    > 21:49:52.223520 212.50.10.144.51429 > x.x.x.x.113: S
    > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334979793
    > 0,nop,wscale 0> (DF) [tos
    > 0x80]
    > 21:49:55.215158 212.50.10.144.51429 > x.x.x.x.113: S
    > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980093
    > 0,nop,wscale 0> (DF) [tos
    > 0x80]
    > 21:50:01.214326 212.50.10.144.51429 > x.x.x.x.113: S
    > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980693
    > 0,nop,wscale 0> (DF) [tos
    > 0x80]
    > 21:50:08.110055 200.89.74.17.1288 > x.x.x.x.113: S
    > 3341661485:3341661485(0) win 5840 <mss 1380,sackOK,timestamp 536892450
    > 0,nop,wscale 0> (DF) 21:50:11.107743 200.89.74.17.1288 > x.x.x.x.113: S
    > 3341661485:3341661485(0) win 5840 <mss 1380,sackOK,timestamp 536892750
    > 0,nop,wscale 0> (DF) 21:50:17.107070 200.89.74.17.1288 > x.x.x.x.113: S
    > 3341661485:3341661485(0) win 5840 <mss 1380,sackOK,timestamp 536893350
    > 0,nop,wscale 0> (DF) 21:50:31.272679 195.113.161.73.35431 > x.x.x.x.113:
    > SWE 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143467926
    > 0,nop,wscale 0> (DF)
    > 21:50:34.271355 195.113.161.73.35431 > x.x.x.x.113: SWE
    > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468226
    > 0,nop,wscale 0> (DF)
    > 21:50:40.272963 195.113.161.73.35431 > x.x.x.x.113: SWE
    > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468826
    > 0,nop,wscale 0> (DF)
    > 21:50:50.507109 194.192.187.79.48444 > x.x.x.x.113: S
    > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541401740
    > 0,nop,wscale 0> (DF)
    > 21:50:53.503095 194.192.187.79.48444 > x.x.x.x.113: S
    > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402040
    > 0,nop,wscale 0> (DF)
    > 21:50:59.501702 194.192.187.79.48444 > x.x.x.x.113: S
    > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402640
    > 0,nop,wscale 0> (DF)
    > 21:51:04.856518 150.244.30.38.38896 > x.x.x.x.113: SWE
    > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92006782
    > 0,nop,wscale 1> (DF)
    > 21:51:07.854746 150.244.30.38.38896 > x.x.x.x.113: SWE
    > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007082
    > 0,nop,wscale 1> (DF)
    > 21:51:13.853151 150.244.30.38.38896 > x.x.x.x.113: SWE
    > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007682
    > 0,nop,wscale 1> (DF)
    > 21:51:19.770478 212.27.32.66.45304 > x.x.x.x.113: S
    > 2373501279:2373501279(0) win 5840 <mss 1460,sackOK,timestamp 135424502
    > 0,nop,wscale 0> (DF) 21:51:22.765533 212.27.32.66.45304 > x.x.x.x.113: S
    > 2373501279:2373501279(0) win 5840 <mss 1460,sackOK,timestamp 135424802
    > 0,nop,wscale 0> (DF) 21:51:28.763736 212.27.32.66.45304 > x.x.x.x.113: S
    > 2373501279:2373501279(0) win 5840 <mss 1460,sackOK,timestamp 135425402
    > 0,nop,wscale 0> (DF) 21:52:57.302026 130.239.18.137.33709 > x.x.x.x.113: S
    > 2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale
    > 2,nop,nop,timestamp 1068794865 0>
    > 21:53:03.217878 130.239.18.137.33709 > x.x.x.x.113: S
    > 2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale
    > 2,nop,nop,timestamp 1068794876 0>
    > 21:53:09.977973 164.8.6.249.37812 > x.x.x.x.113: S
    > 1734835097:1734835097(0) win 5840 <mss 1460,sackOK,timestamp 99930917
    > 0,nop,wscale 0> (DF) 21:53:12.970276 164.8.6.249.37812 > x.x.x.x.113: S
    > 1734835097:1734835097(0) win 5840 <mss 1460,sackOK,timestamp 99931217
    > 0,nop,wscale 0> (DF) 21:53:27.671416 203.8.116.111.53094 > x.x.x.x.113:
    > SWE 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950438
    > 0,nop,wscale 0> (DF)
    > 21:53:30.666828 203.8.116.111.53094 > x.x.x.x.113: SWE
    > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950738
    > 0,nop,wscale 0> (DF)
    > 21:53:36.665948 203.8.116.111.53094 > x.x.x.x.113: SWE
    > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515951338
    > 0,nop,wscale 0> (DF)
    > 21:56:17.252274 200.203.120.200.1649 > x.x.x.x.1434: udp 376
    > 22:05:56.676950 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > 22:05:59.668883 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > 22:06:02.668756 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > 22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
    > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    Tommy, Oct 17, 2003
    #5
  6. reshman

    reshman Guest

    FreeBSD 5.1

    "Tommy" <> wrote in message
    news:1911390.QYd4ZJqnt5@FreeBSD...
    > reshman wrote:
    >
    > > Anyone have any ideas why I would be seeing hits directed to my on port
    > > 113 -- all around the same time? Would this have anything to do with
    > > doing a make for a port out of the ports package???
    > >
    > > Thanks!
    > >
    > > -Mike

    >
    > What O/S are you using?
    >
    > > 21:49:25.439687 204.152.189.120.36950 > x.x.x.x.113: SWE
    > > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556088
    > > 0,nop,wscale 0> (DF)
    > > 21:49:28.434534 204.152.189.120.36950 > x.x.x.x.113: SWE
    > > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556388
    > > 0,nop,wscale 0> (DF)
    > > 21:49:34.437467 204.152.189.120.36950 > x.x.x.x.113: SWE
    > > 3966116226:3966116226(0) win 5840 <mss 1460,sackOK,timestamp 1583556988
    > > 0,nop,wscale 0> (DF)
    > > 21:49:52.223520 212.50.10.144.51429 > x.x.x.x.113: S
    > > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334979793
    > > 0,nop,wscale 0> (DF) [tos
    > > 0x80]
    > > 21:49:55.215158 212.50.10.144.51429 > x.x.x.x.113: S
    > > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980093
    > > 0,nop,wscale 0> (DF) [tos
    > > 0x80]
    > > 21:50:01.214326 212.50.10.144.51429 > x.x.x.x.113: S
    > > 2262108815:2262108815(0) win 5840 <mss 1460,sackOK,timestamp 334980693
    > > 0,nop,wscale 0> (DF) [tos
    > > 0x80]
    > > 21:50:08.110055 200.89.74.17.1288 > x.x.x.x.113: S
    > > 3341661485:3341661485(0) win 5840 <mss 1380,sackOK,timestamp 536892450
    > > 0,nop,wscale 0> (DF) 21:50:11.107743 200.89.74.17.1288 > x.x.x.x.113: S
    > > 3341661485:3341661485(0) win 5840 <mss 1380,sackOK,timestamp 536892750
    > > 0,nop,wscale 0> (DF) 21:50:17.107070 200.89.74.17.1288 > x.x.x.x.113: S
    > > 3341661485:3341661485(0) win 5840 <mss 1380,sackOK,timestamp 536893350
    > > 0,nop,wscale 0> (DF) 21:50:31.272679 195.113.161.73.35431 > x.x.x.x.113:
    > > SWE 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp

    143467926
    > > 0,nop,wscale 0> (DF)
    > > 21:50:34.271355 195.113.161.73.35431 > x.x.x.x.113: SWE
    > > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468226
    > > 0,nop,wscale 0> (DF)
    > > 21:50:40.272963 195.113.161.73.35431 > x.x.x.x.113: SWE
    > > 1772927044:1772927044(0) win 5840 <mss 1460,sackOK,timestamp 143468826
    > > 0,nop,wscale 0> (DF)
    > > 21:50:50.507109 194.192.187.79.48444 > x.x.x.x.113: S
    > > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541401740
    > > 0,nop,wscale 0> (DF)
    > > 21:50:53.503095 194.192.187.79.48444 > x.x.x.x.113: S
    > > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402040
    > > 0,nop,wscale 0> (DF)
    > > 21:50:59.501702 194.192.187.79.48444 > x.x.x.x.113: S
    > > 4051693887:4051693887(0) win 5840 <mss 1460,sackOK,timestamp 541402640
    > > 0,nop,wscale 0> (DF)
    > > 21:51:04.856518 150.244.30.38.38896 > x.x.x.x.113: SWE
    > > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92006782
    > > 0,nop,wscale 1> (DF)
    > > 21:51:07.854746 150.244.30.38.38896 > x.x.x.x.113: SWE
    > > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007082
    > > 0,nop,wscale 1> (DF)
    > > 21:51:13.853151 150.244.30.38.38896 > x.x.x.x.113: SWE
    > > 3991035608:3991035608(0) win 5840 <mss 1460,sackOK,timestamp 92007682
    > > 0,nop,wscale 1> (DF)
    > > 21:51:19.770478 212.27.32.66.45304 > x.x.x.x.113: S
    > > 2373501279:2373501279(0) win 5840 <mss 1460,sackOK,timestamp 135424502
    > > 0,nop,wscale 0> (DF) 21:51:22.765533 212.27.32.66.45304 > x.x.x.x.113: S
    > > 2373501279:2373501279(0) win 5840 <mss 1460,sackOK,timestamp 135424802
    > > 0,nop,wscale 0> (DF) 21:51:28.763736 212.27.32.66.45304 > x.x.x.x.113: S
    > > 2373501279:2373501279(0) win 5840 <mss 1460,sackOK,timestamp 135425402
    > > 0,nop,wscale 0> (DF) 21:52:57.302026 130.239.18.137.33709 > x.x.x.x.113:

    S
    > > 2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale
    > > 2,nop,nop,timestamp 1068794865 0>
    > > 21:53:03.217878 130.239.18.137.33709 > x.x.x.x.113: S
    > > 2240511777:2240511777(0) win 65535 <mss 1448,nop,wscale
    > > 2,nop,nop,timestamp 1068794876 0>
    > > 21:53:09.977973 164.8.6.249.37812 > x.x.x.x.113: S
    > > 1734835097:1734835097(0) win 5840 <mss 1460,sackOK,timestamp 99930917
    > > 0,nop,wscale 0> (DF) 21:53:12.970276 164.8.6.249.37812 > x.x.x.x.113: S
    > > 1734835097:1734835097(0) win 5840 <mss 1460,sackOK,timestamp 99931217
    > > 0,nop,wscale 0> (DF) 21:53:27.671416 203.8.116.111.53094 > x.x.x.x.113:
    > > SWE 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp

    515950438
    > > 0,nop,wscale 0> (DF)
    > > 21:53:30.666828 203.8.116.111.53094 > x.x.x.x.113: SWE
    > > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515950738
    > > 0,nop,wscale 0> (DF)
    > > 21:53:36.665948 203.8.116.111.53094 > x.x.x.x.113: SWE
    > > 3187565637:3187565637(0) win 5840 <mss 1460,sackOK,timestamp 515951338
    > > 0,nop,wscale 0> (DF)
    > > 21:56:17.252274 200.203.120.200.1649 > x.x.x.x.1434: udp 376
    > > 22:05:56.676950 128.121.116.162.4479 > x.x.x.x.113: S
    > > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > > 22:05:59.668883 128.121.116.162.4479 > x.x.x.x.113: S
    > > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > > 22:06:02.668756 128.121.116.162.4479 > x.x.x.x.113: S
    > > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)
    > > 22:06:05.668668 128.121.116.162.4479 > x.x.x.x.113: S
    > > 3099755125:3099755125(0) win 16384 <mss 1460> (DF)

    >
    reshman, Oct 17, 2003
    #6
  7. reshman

    Tommy Guest

    reshman wrote:

    > FreeBSD 5.1
    >
    > "Tommy" <> wrote in message
    > news:1911390.QYd4ZJqnt5@FreeBSD...
    >> reshman wrote:
    >>
    >> > Anyone have any ideas why I would be seeing hits directed to my on port
    >> > 113 -- all around the same time? Would this have anything to do with
    >> > doing a make for a port out of the ports package???
    >> >
    >> > Thanks!
    >> >
    >> > -Mike

    >>


    It sounds like scalper. Have you went to ports and installed 'chkrootkit?'
    If not, install it and run it. and see what comes up with.
    Tommy, Oct 17, 2003
    #7
  8. reshman

    reshman Guest

    chkrootkit didn't find anything.

    what is scalper?

    -Mike

    "Tommy" <> wrote in message
    news:1848528.XzRNta5OcC@FreeBSD...
    > reshman wrote:
    >
    > > FreeBSD 5.1
    > >
    > > "Tommy" <> wrote in message
    > > news:1911390.QYd4ZJqnt5@FreeBSD...
    > >> reshman wrote:
    > >>
    > >> > Anyone have any ideas why I would be seeing hits directed to my on

    port
    > >> > 113 -- all around the same time? Would this have anything to do with
    > >> > doing a make for a port out of the ports package???
    > >> >
    > >> > Thanks!
    > >> >
    > >> > -Mike
    > >>

    >
    > It sounds like scalper. Have you went to ports and installed 'chkrootkit?'
    > If not, install it and run it. and see what comes up with.
    reshman, Oct 17, 2003
    #8
  9. reshman

    Tommy Guest

    reshman wrote:

    > chkrootkit didn't find anything.
    >
    > what is scalper?
    >
    > -Mike

    ============================================================
    This worm uses the Apache HTTP Server chunk encoding stack overflow
    vulnerability to spread itself. Currently it has only been confirmed that
    this worm works on the FreeBSD platform. FreeBSD is an advanced operating
    system for Intel ia32 compatible, DEC Alpha, and PC-98 architectures. It is
    derived from BSD UNIX, the version of UNIX developed at the University of
    California, Berkeley. It is developed and maintained by a large team of
    individuals.

    This worm has received some media coverage but we believe it is currently
    not prevalent in the wild. So far, we have not received any customer
    reports of this worm. For information regarding the vulnerability, please

    You can read more about it below.
    http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html
    =========================================================

    I connected to an infected Apache server and got hit with it. The server
    will start pinging your computer...You may want to run snort and catch a
    few packets and see if you get anything from whitehats.com

    This is a message from www.whitehats.com
    Seeing Cyberkit Ping probes to your network? Great it's a new worm. All I
    ask is that you please learn to read your IDS headers and understand which
    part is the source address versus the information URL. The part that says
    whitehats.com? That is the information URL not the source! Thanks :)

    The only other known security issues I know of in BSD are sendmail and
    SSH......If you are using SSH & sendmail make sure you patch them........If
    you're not using them disable them from root/rc/config
    Tommy, Oct 18, 2003
    #9
  10. reshman

    Don Kelloway Guest

    "reshman" <marjunk*NO-SPAM*@charter.net> wrote in message
    news:...
    > Anyone have any ideas why I would be seeing hits directed to my on

    port
    > 113 -- all around the same time? Would this have anything to do with

    doing
    > a make for a port out of the ports package???
    >
    > Thanks!
    >
    > -Mike
    >


    What is TCP port 113? As stated by several others TCP port 113 is used
    to support the Identification/Authentication protocol. Such may be used
    by the server you are attempting to connect to when you are attempting
    to connect to the server with either the SMTP, FTP, or IRC protocols.

    Why do servers use IDENT/AUTH? As stated above the purpose of using
    IDENT/AUTH is that the server you are attempting to connect to, would in
    turn attempt to connect to your IP address on TCP port 113 before
    allowing you to start the process of transmitting data. If you are/were
    hosting an IDENT/AUTH server, information such as your hostname is
    passed to the other server. The server in turn would use this
    information to identify or authenticate your system and then allow your
    system to initiate the sending of the data.

    Is IDENT/AUTH mandatory? No, it's not mandatory. Years ago when the
    Internet was still in it's infancy, IDENT/AUTH was commonly used, but as
    time passed and the Internet exploded in growth. It became less and
    less used and as a result many servers will still allow you to connect
    even if you don't host an IDENT/AUTH server. It just results in slowing
    down the process by a few seconds.


    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
    Don Kelloway, Oct 18, 2003
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SPS

    c1600-y-l.113-5.T

    SPS, Feb 23, 2004, in forum: Cisco
    Replies:
    4
    Views:
    852
    Aaron Leonard
    Feb 24, 2004
  2. Film Buff

    "Zulu Dawn" - WIDESCREEN!!!!! 113 Mins.

    Film Buff, Sep 29, 2005, in forum: DVD Video
    Replies:
    4
    Views:
    1,291
    Richard C.
    Oct 1, 2005
  3. RadarG

    trying to stealth port 113

    RadarG, Dec 10, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    2,864
    RadarG
    Dec 10, 2003
  4. E27002

    Need a Leeds (113) Number

    E27002, Apr 23, 2010, in forum: UK VOIP
    Replies:
    3
    Views:
    763
    E27002
    Apr 23, 2010
  5. Flying Pigs
    Replies:
    6
    Views:
    1,424
    Flying Pigs
    Feb 14, 2011
Loading...

Share This Page