[Dshield] Here's something you don't see every day

Russell Washington russ.washington at vaultsentry.com
Thu Oct 3 17:41:28 GMT 2002


Saw the MTP/port 57 thing over here as well.  Generated a good deal of
discussion about what the frick MTP might actually be.

Not much to offer over here other than you're not alone. :)

-----Original Message-----
From: Ed Truitt [mailto:ed.truitt at etee2k.net] 
Sent: Thursday, October 03, 2002 6:03 AM
To: list at dshield.org
Subject: Re: [Dshield] Here's something you don't see every day


I have seen a significant # of hits (several hundred - up from 0) on this
port on my LaBrea tarpit over the last 3 days - looking at DShield, though,
it doesn't seem to be a widespread thing (at least, not like Port 520).

I went to IANA (http://www.iana.org/assignments/port-numbers), and here is
what they have to say about 57:

                 57/tcp    any private terminal access
                 57/udp    any private terminal access

I didn't know of any "private terminal access" products to date that
actually utilize port 57, so I googled and found a reference to "Kali" which
uses ports 2213, 6666, and 57 (all UDP).  Looks like an online martial-arts
game which uses IPX, and some of the "key" servers appear to be moving IP
addresses, so maybe people are scanning trying to find them.  Also, it
appears the company responsible for the game has shut down, so if there is
an exploit it may not be fix-able.  (http://www.kali.net/)

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.  Also, if you
send me UCE, I reserve the right to post your spew on my Web site, with the
appropriate color commentary, so that others may have a good laugh at your
expense."


----- Original Message -----
From: Josh Beckett
To: list at dshield.org
Sent: Wednesday, October 02, 2002 10:29 PM
Subject: [Dshield] Here's something you don't see every day


Here's something you don't see every day, or maybe you do, but I have been
doing security for a while and it caught my eye amid all the 443 scans of
late.

If anyone's interested, I'm sure I could dig a bit more detail from the real
log, rather than this snippit that is mailed to me from portsentry.

This server in question has various common services on it, all reasonably
secured.

As I don't tend to keep every port memorized, I looked this one up on:

http://www.iss.net/security_center/advice/Exploits/Ports/

MTP.but my mail services only use smtp (for outside) and pop3 (for internal
clients)

Normally, I wouldn't think much of it, but I saw another in a relatively
short period of time (at least for my little server that only sees a few
scans an hour) from a different host.

Yes, know how to track them down, that's not the point.  I rarely see port
57 is the thing.

Any thoughts?  Anyone else seeing this apparently little used port?

Josh

***alert snippit***
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sep 29 12:06:27 bacchus portsentry[659]: attackalert: TCP SYN/Normal scan
from host: 63-200-149-16.ded.pacbell.net/63.200.149.16 to TCP port: 57 Sep
29 12:06:27 bacchus portsentry[659]: attackalert: Host 63.200.149.16 has
been blocked via wrappers with string: "ALL: 63.200.149.16" Sep 29 12:06:27
bacchus portsentry[659]: attackalert: Host 63.200.149.16 has been blocked
via dropped route using command: "/sbin/ipchains -I input -s 63.200.149.16
-j DENY -l"

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sep 28 06:22:52 bacchus portsentry[659]: attackalert: TCP SYN/Normal scan
from host: 80.135.246.20/80.135.246.20 to TCP port: 57 Sep 28 06:22:52
bacchus portsentry[659]: attackalert: Host 80.135.246.20 has been blocked
via wrappers with string: "ALL: 80.135.246.20" Sep 28 06:22:52 bacchus
portsentry[659]: attackalert: Host 80.135.246.20 has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 80.135.246.20 -j
DENY -l" Sep 28 06:22:52 bacchus portsentry[659]: attackalert: TCP
SYN/Normal scan from host: p5087F614.dip.t-dialin.net/80.135.246.20 to TCP
port: 57 Sep 28 06:22:52 bacchus portsentry[659]: attackalert: Host:
p5087F614.dip.t-dialin.net/80.135.246.20 is already blocked Ignoring Sep 28
06:22:52 bacchus portsentry[659]: attackalert: TCP SYN/Normal scan from
host: p5087F614.dip.t-dialin.net/80.135.246.20 to TCP port: 57 Sep 28
06:22:52 bacchus portsentry[659]: attackalert: Host:
p5087F614.dip.t-dialin.net/80.135.246.20 is already blocked Ignoring

***end alert snippit***

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list