TCP port 0

Unanswered Question
Feb 14th, 2007

Hello,

What is TCP port 0 used for? I've searched around and can find nothing that makes sense to me aside from a programmer trick that I don't understand (I'm not a programmer). Inour MARS appliance, it shows up as TCP SYN Host sweep On Same Dest Port. The source addresses are ours, there are a lot of them. Source port varies, but destination is TCP port 0 on a wide variety of destinations. Timing varies, some are spread out, others are within the same second. The IPS signature triggered is NR-3030/0. I put wireshark out there looking for TCP port 0, I don't see anything. Anybody seen this before?

Thanks

Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Wed, 02/14/2007 - 11:04

My (limited) understanding is that it's kind of like a wildcard search setting.

If something tries to bind to Port 0, it will in fact bind to the next available open port above 1023.

Don't know if it's good or bad in your case. It actually sounds benign but annoying and that may be enough cause for further investigation.

Tom

scott.crawford@... Thu, 02/15/2007 - 06:48

Thanks for your reply.

That matches some of what I've found. What still baffles me is that, according to what I've found, it's not supposed to be visible. Indeed, my sniffer doesn't see it. But why is my IPS going moderately nuts about it?

Time for a TAC case, I think.

Scott

jt3rry Fri, 02/23/2007 - 15:12

I see very similar behavior on my PIX. One inside host randomly attempts to access IP addresses on the net, I have no idea what causes this. example from syslog:

500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 53.148.52.216/0

500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 28.155.55.66/0

500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 50.67.61.69/0

500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 138.164.243.63/0

I'm up to date on A/V and OS patches (xp pro) I've also scanned for rootkits and spyware - PC comes up clean every time. I did find an article that referenced a TCP port scan attempt but if this is the case why are there no logs referencing the attacker from OUTSIDE?

Has anyone else encountered such behavior?

wsulym Sat, 02/24/2007 - 05:54

Given that pix syslog message (500004), which writes anytime there is a source or destination port equalt to zero for tcp ot udp, 192.168.3.102 is sending UDP packets to random hosts with the dst port set to zero. 138.164.243.63 has an interesting whois record.

What is 192.168.3.102? Just a workstation?

Might be time to drop a sniffer out in fron of that box and see what its doing.

jt3rry Sat, 02/24/2007 - 09:09

Yes, a workstation. The list of IPs where an attempt to connect on port "0" is reported as seemingly random, everything from IP addresses in Korea, Japan to Germany. As a precautionary step I wrote an ACL to block all IP traffic outbound to the list of addresses (now about 13) but I've never seen any hits on the ACL. Also, the same 10-12 lines are written to the syslog (about every 2 days) always the same destination hosts, but never are the destination IPs seen as a DENY connection, or accessed resource X on those destination IPs in my syslog. I'm not sure what my next step should be, if I were to setup Ethereal and span the port this host connects to I'm not sure I'd see any interesting traffic for a number of days. In your opinion what could be going on with this host? Are there any tools you could recommend I use to scan for rootkits/spyware etc? SpyBot Search and Destroy turns up nothing, along with RootKit Revealer.

Any help is greatly appreciated,

gregcooper Mon, 03/26/2007 - 19:41

Yes, I am getting very similar error messages from VPN clients now. It started last week. I have complaints about the users getting disconnected from the VPN, and the times that they complain about correspond to when I see them hit my PIX on port 0 with protocol 17. Have you figured anything out with those messages?

Protocol 17 is UDP, I think.

attmidsteam Sat, 02/24/2007 - 15:40

I think the signature is set to summarize target ports, thus "0".

Check your summary settings on the IDM in question.

Hope this helps sir

jt3rry Sun, 02/25/2007 - 08:43

I was able to deploy CSA in test mode on the desktop in question, within just a few minutes I checked the CSA server and it's telling me there was a rootkit detected. - How can I go about disabling the rootkit?

Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality

Module System Hardening Module [W, V5.0 r176]

? Event details:

Event Text Kernel functionality has been modified by the module . The module '' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.

Event Time 2/25/2007 10:30:50 AM

Code MODULE_MODIFY_TAG

PInt 46

PInt2 12

PString detected rootkit as Untrusted

PString2

PInt3 6

args(4) 8b542420528b542420a12ca1bfe1528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090

args(5)

time 40.9 (seconds since boot)

type EVTU

EvSrcComp 9

EvDst 1

EvDstComp 7

EvCode MODULE_USED_BY_SYS_TABLE

EvPInt 1

EvPString

EvPInt2 31

EvPString2 8b542420 528b5424 20a12ca1 bfe1528b

5424208b 08528b54 2420528b 54242052

8b542420 528b5424 20528b54 24205250

ff1183c4 24c22000 90909090 90909090

EvPInt3 -511842592

EvPString3 ConnectPort

FlattenedForm (t-1172417450 n-468750000 z--18000 sm-112 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a- i-6 a- a-8b542420528b542420a12ca1bfe1528b5424208b08528b542420528b542420528b542420528b542420528b5424205 250ff1183c424c220009090909090909090 a- r*(type-11 time-409 rev*(sc-9 dm-1 dc-7 cd-175 p*(i-1 a- i-31 d-lsfjGi1IurciHYsO*gUulsfjGSicsTivKaIulsfjGi1IurcisTivKaIulsfjGifu*hXGetIWGaaKqcjKqcjKqc i--511842592 a-ConnectPort ) ) ) ) )

scott.crawford@... Tue, 03/27/2007 - 08:14

Thanks for the reply.

That's a little over my head, but looking at the signature, Alert Frequency, Summary Mode is fire all, and the summary key is attacker address. Nothing about the port. Is this what you're referring to?

Scott

Actions

This Discussion