02-14-2007 10:52 AM - edited 03-10-2019 01:41 PM
Hello,
What is TCP port 0 used for? I've searched around and can find nothing that makes sense to me aside from a programmer trick that I don't understand (I'm not a programmer). Inour MARS appliance, it shows up as TCP SYN Host sweep On Same Dest Port. The source addresses are ours, there are a lot of them. Source port varies, but destination is TCP port 0 on a wide variety of destinations. Timing varies, some are spread out, others are within the same second. The IPS signature triggered is NR-3030/0. I put wireshark out there looking for TCP port 0, I don't see anything. Anybody seen this before?
Thanks
Scott
02-14-2007 11:04 AM
My (limited) understanding is that it's kind of like a wildcard search setting.
If something tries to bind to Port 0, it will in fact bind to the next available open port above 1023.
Don't know if it's good or bad in your case. It actually sounds benign but annoying and that may be enough cause for further investigation.
Tom
02-15-2007 06:48 AM
Thanks for your reply.
That matches some of what I've found. What still baffles me is that, according to what I've found, it's not supposed to be visible. Indeed, my sniffer doesn't see it. But why is my IPS going moderately nuts about it?
Time for a TAC case, I think.
Scott
02-23-2007 03:12 PM
I see very similar behavior on my PIX. One inside host randomly attempts to access IP addresses on the net, I have no idea what causes this. example from syslog:
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 53.148.52.216/0
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 28.155.55.66/0
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 50.67.61.69/0
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 138.164.243.63/0
I'm up to date on A/V and OS patches (xp pro) I've also scanned for rootkits and spyware - PC comes up clean every time. I did find an article that referenced a TCP port scan attempt but if this is the case why are there no logs referencing the attacker from OUTSIDE?
Has anyone else encountered such behavior?
02-24-2007 05:54 AM
Given that pix syslog message (500004), which writes anytime there is a source or destination port equalt to zero for tcp ot udp, 192.168.3.102 is sending UDP packets to random hosts with the dst port set to zero. 138.164.243.63 has an interesting whois record.
What is 192.168.3.102? Just a workstation?
Might be time to drop a sniffer out in fron of that box and see what its doing.
02-24-2007 09:09 AM
Yes, a workstation. The list of IPs where an attempt to connect on port "0" is reported as seemingly random, everything from IP addresses in Korea, Japan to Germany. As a precautionary step I wrote an ACL to block all IP traffic outbound to the list of addresses (now about 13) but I've never seen any hits on the ACL. Also, the same 10-12 lines are written to the syslog (about every 2 days) always the same destination hosts, but never are the destination IPs seen as a DENY connection, or accessed resource X on those destination IPs in my syslog. I'm not sure what my next step should be, if I were to setup Ethereal and span the port this host connects to I'm not sure I'd see any interesting traffic for a number of days. In your opinion what could be going on with this host? Are there any tools you could recommend I use to scan for rootkits/spyware etc? SpyBot Search and Destroy turns up nothing, along with RootKit Revealer.
Any help is greatly appreciated,
03-26-2007 07:41 PM
Yes, I am getting very similar error messages from VPN clients now. It started last week. I have complaints about the users getting disconnected from the VPN, and the times that they complain about correspond to when I see them hit my PIX on port 0 with protocol 17. Have you figured anything out with those messages?
Protocol 17 is UDP, I think.
02-24-2007 03:40 PM
I think the signature is set to summarize target ports, thus "0".
Check your summary settings on the IDM in question.
Hope this helps sir
02-25-2007 08:43 AM
I was able to deploy CSA in test mode on the desktop in question, within just a few minutes I checked the CSA server and it's telling me there was a rootkit detected. - How can I go about disabling the rootkit?
Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality
Module System Hardening Module [W, V5.0 r176]
? Event details:
Event Text Kernel functionality has been modified by the module
Event Time 2/25/2007 10:30:50 AM
Code MODULE_MODIFY_TAG
PInt 46
PInt2 12
PString detected rootkit as Untrusted
PString2
PInt3 6
args(4) 8b542420528b542420a12ca1bfe1528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090
args(5)
time 40.9 (seconds since boot)
type EVTU
EvSrcComp 9
EvDst 1
EvDstComp 7
EvCode MODULE_USED_BY_SYS_TABLE
EvPInt 1
EvPString
EvPInt2 31
EvPString2 8b542420 528b5424 20a12ca1 bfe1528b
5424208b 08528b54 2420528b 54242052
8b542420 528b5424 20528b54 24205250
ff1183c4 24c22000 90909090 90909090
EvPInt3 -511842592
EvPString3 ConnectPort
FlattenedForm (t-1172417450 n-468750000 z--18000 sm-112 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-
03-27-2007 08:14 AM
Thanks for the reply.
That's a little over my head, but looking at the signature, Alert Frequency, Summary Mode is fire all, and the summary key is attacker address. Nothing about the port. Is this what you're referring to?
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide