[Dshield] Source Port 7000

Johannes B. Ullrich jullrich at sans.org
Sat Apr 22 01:56:39 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160



yes. I have seen some of that traffic earlier. Not sure yet what its all
about. Yesterdays logs are below. Not sure f they come through ok...

The summary:
Packets are either RST-ACK-URG or SYN-ACK-URG

the hosts show up in pairs. I got hit in three very different network,
one of which was just turned on today.

Overall, this looks like the result of reflections from a spoofed port
scan. IP IDs, TTLs and such look "real" the source hosts look like a mix
of unix and windows hosts based on TTLs.



Apr 21 04:45:25 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=218.246.190.244 DST=C.41 LEN=40 TOS=0x00 PREC=0x20 TTL=104 ID=16632
PROTO=TCP SPT=7000 DPT=3507 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 04:46:01 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=218.246.190.244 DST=C.41 LEN=40 TOS=0x00 PREC=0x20 TTL=104 ID=53546
PROTO=TCP SPT=7000 DPT=3507 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 06:37:40 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=61.152.104.13 DST=B.140 LEN=40 TOS=0x00 PREC=0x20 TTL=110 ID=52118
PROTO=TCP SPT=7000 DPT=21574 WINDOW=0 RES=0x00 ACK RST URGP=46248
Apr 21 09:55:39 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=60.190.120.212 DST=B.21 LEN=40 TOS=0x00 PREC=0x20 TTL=109 ID=55496
PROTO=TCP SPT=7000 DPT=25608 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 10:01:40 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=89.96.251.126 DST=B.21 LEN=48 TOS=0x00 PREC=0x20 TTL=44 ID=54366
PROTO=TCP SPT=7000 DPT=25608 WINDOW=65535 RES=0x00 ACK SYN URGP=0
Apr 21 10:35:05 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=219.150.217.157 DST=B.21 LEN=48 TOS=0x00 PREC=0x20 TTL=43 ID=0
PROTO=TCP SPT=7000 DPT=25608 WINDOW=61564 RES=0x00 ACK SYN URGP=0
Apr 21 10:51:21 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=60.190.120.212 DST=B.21 LEN=40 TOS=0x00 PREC=0x20 TTL=109 ID=29254
PROTO=TCP SPT=7000 DPT=25608 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 10:52:11 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=61.153.241.212 DST=B.21 LEN=48 TOS=0x00 PREC=0x20 TTL=109 ID=58914
PROTO=TCP SPT=7000 DPT=25608 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Apr 21 10:58:28 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=61.153.241.212 DST=B.21 LEN=48 TOS=0x00 PREC=0x20 TTL=109 ID=22955
PROTO=TCP SPT=7000 DPT=25608 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Apr 21 11:01:09 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=219.150.217.157 DST=B.21 LEN=48 TOS=0x00 PREC=0x20 TTL=43 ID=0
PROTO=TCP SPT=7000 DPT=25608 WINDOW=61564 RES=0x00 ACK SYN URGP=0
Apr 21 11:10:45 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=61.153.241.213 DST=B.21 LEN=40 TOS=0x00 PREC=0x20 TTL=110 ID=37035
PROTO=TCP SPT=7000 DPT=25608 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 11:12:50 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=218.93.197.75 DST=B.21 LEN=40 TOS=0x00 PREC=0x20 TTL=109 ID=2721
PROTO=TCP SPT=7000 DPT=25608 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 11:59:17 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=219.148.111.161 DST=B.21 LEN=40 TOS=0x00 PREC=0x20 TTL=99 ID=0
PROTO=TCP SPT=7000 DPT=25608 WINDOW=0 RES=0x00 ACK SYN URGP=0
Apr 21 13:31:47 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=85.236.100.159 DST=B.21 LEN=40 TOS=0x00 PREC=0x20 TTL=114 ID=22105
PROTO=TCP SPT=7000 DPT=25608 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 14:10:08 defianta kernel: filter: INVALID IN=eth3 OUT=
SRC=85.236.100.159 DST=B.100 LEN=40 TOS=0x00 PREC=0x20 TTL=114 ID=48774
PROTO=TCP SPT=7000 DPT=1058 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr 21 15:49:45 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=61.147.118.215 DST=A.12 LEN=40 TOS=0x00 PREC=0x20 TTL=107 ID=8286
PROTO=TCP SPT=7000 DPT=40637 WINDOW=8760 RES=0x00 ACK SYN URGP=0
Apr 21 18:46:23 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=61.147.118.215 DST=A.11 LEN=40 TOS=0x00 PREC=0x20 TTL=107 ID=41432
PROTO=TCP SPT=7000 DPT=20405 WINDOW=8760 RES=0x00 ACK SYN URGP=0
Apr 21 18:46:45 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=61.147.118.215 DST=A.11 LEN=40 TOS=0x00 PREC=0x20 TTL=107 ID=25817
PROTO=TCP SPT=7000 DPT=20405 WINDOW=8760 RES=0x00 ACK SYN URGP=0
Apr 21 19:46:29 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=61.147.118.215 DST=A.11 LEN=40 TOS=0x00 PREC=0x20 TTL=107 ID=26457
PROTO=TCP SPT=7000 DPT=59038 WINDOW=8760 RES=0x00 ACK SYN URGP=0
Apr 21 22:48:43 defianta kernel: filter: INVALID IN=eth2 OUT=
SRC=61.147.118.215 DST=A.11 LEN=40 TOS=0x00 PREC=0x20 TTL=107 ID=59615
PROTO=TCP SPT=7000 DPT=59038 WINDOW=8760 RES=0x00 ACK SYN URGP=0

Jon R. Kibler wrote:
> Greetings,
> 
> We have happened to notice that a disproportionate number of the firewall log entries show a source port of 7000/tcp. Some days this is as high as 0.25% or more. 
> 
> This appears to be some type of afterglow, but of what? I know that 7000/tcp is sometimes used by IRC... but most of the destination addresses in our netblocks are unallocated addresses. Any ideas what may be going on here?
> 
> Anyone else seeing this?
> 
> THANKS!
> Jon Kibler
> 
> 
> ------------------------------------------------------------------------
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


- --

- -------------------
Johannes B. Ullrich, Ph.D
Chief Research Officer
SANS Institute
http://isc.sans.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFESY1WPNuXYcm/v/0RA0g9AJsENXGn59bTescgmQhZyTJwtNskgwCfTyvJ
+De5gKvSKZESCWi43+xPFqc=
=7r3u
-----END PGP SIGNATURE-----


More information about the list mailing list