Port 1
This is a discussion on Port 1 within the Linux Security forums, part of the System Security and Security Related category; Anyone else seen an increase in connection attempts to port 1 in the last 24 day or so? Any ideas ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-21-2003
|
|||
|
|||
Port 1
Anyone else seen an increase in connection attempts to port 1 in the last 24 day or so? Any ideas what the reason could be? Aug 21 11:34:22 hostname kernel: Blocked TCP ports violation: IN=eth0 OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 SRC=12.214.202.22 DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=52040 DF PROTO=TCP SPT=2460 DPT=1 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 21 13:59:46 hostname kernel: Blocked TCP ports violation: IN=eth0 OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 SRC=12.213.164.32 DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=7050 DF PROTO=TCP SPT=3166 DPT=1 WINDOW=64240 RES=0x00 SYN URGP=0 -- Confucius: He who play in root, eventually kill tree. Registered with The Linux Counter. http://counter.li.org/ Slackware 9.0 Kernel 2.4.21 i686 (GCC) 3.3 Uptime: 4 days, 12:04, 1 user, load average: 1.24, 1.49, 1.35 
|
|
08-21-2003
|
|||
|
|||
|
Re: Port 1
David wrote:
> > Anyone else seen an increase in connection attempts to port 1 in the > last 24 day or so? Any ideas what the reason could be? > > Aug 21 11:34:22 hostname kernel: Blocked TCP ports violation: IN=eth0 > OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 SRC=12.214.202.22 > DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=52040 DF > PROTO=TCP SPT=2460 DPT=1 WINDOW=16384 RES=0x00 SYN URGP=0 > > Aug 21 13:59:46 hostname kernel: Blocked TCP ports violation: IN=eth0 > OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 SRC=12.213.164.32 > DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=7050 DF > PROTO=TCP SPT=3166 DPT=1 WINDOW=64240 RES=0x00 SYN URGP=0 In August, 2003, these seven were all I got: Aug 14 06:33:15 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=65.35.18.208 DST=X LEN=64 TOS=0x00 PREC=0x00 TTL=114 ID=8110 DF PROTO=TCP SPT=4894 DPT=1 WINDOW=64240 RES=0x00 SYN URGP=0 Aug 14 20:50:36 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=24.92.42.247 DST=X LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=18732 DF PROTO=TCP SPT=4174 DPT=1 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 14 22:50:23 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=65.35.18.208 DST=X LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=64028 DF PROTO=TCP SPT=4037 DPT=1 WINDOW=64240 RES=0x00 SYN URGP=0 Aug 15 07:27:43 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=67.8.246.178 DST=X LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=13740 DF PROTO=TCP SPT=1921 DPT=1 WINDOW=16384 RES=0x00 SYN URGP=1024 Aug 15 12:26:47 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=67.8.218.2 DST=X LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=942 DF PROTO=TCP SPT=1350 DPT=1 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 21 11:41:47 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=80.130.98.107 DST=X LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=32630 DF PROTO=TCP SPT=2169 DPT=1 WINDOW=43580 RES=0x00 SYN URGP=0 Aug 21 11:41:50 linux kernel: FIREWALL: IN=ppp0 OUT= MAC= SRC=80.130.98.107 DST=X LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=32745 DF PROTO=TCP SPT=2169 DPT=1 WINDOW=43580 RES=0x00 SYN URGP=0 But if You have a MAC in it, they seem to be coming from Your own subnet. Cheers, Jack. -- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft" expands to "NanoWeak"...
|
|
08-21-2003
|
|||
|
|||
|
Re: Port 1
Hi all,
This port is called the tcpmux or tcp multiplexer. I take it you're on DSL or even Cable ?. It's probably generated by your network provider but it should still be considered hostile to you're network from what I've read. You can refer to RFC 1078 http://www.networksorcery.com/enp/protocol/tcpmux.htm for more about the port. ----- Original Message ----- From: "David" <thunderbolt01@netscape.net> Newsgroups: comp.os.linux.security Sent: Thursday, August 21, 2003 12:14 PM Subject: Port 1 > > Anyone else seen an increase in connection attempts to port 1 in > the last 24 day or so? Any ideas what the reason could be? > > Aug 21 11:34:22 hostname kernel: Blocked TCP ports violation: > IN=eth0 OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 > SRC=12.214.202.22 DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 > TTL=115 ID=52040 DF PROTO=TCP SPT=2460 DPT=1 WINDOW=16384 > RES=0x00 SYN URGP=0 > > Aug 21 13:59:46 hostname kernel: Blocked TCP ports violation: > IN=eth0 OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 > SRC=12.213.164.32 DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 > TTL=116 ID=7050 DF PROTO=TCP SPT=3166 DPT=1 WINDOW=64240 RES=0x00 > SYN URGP=0 > > -- > Confucius: He who play in root, eventually kill tree. > Registered with The Linux Counter. http://counter.li.org/ > Slackware 9.0 Kernel 2.4.21 i686 (GCC) 3.3 > Uptime: 4 days, 12:04, 1 user, load average: 1.24, 1.49, 1.35 > "David" <thunderbolt01@netscape.net> wrote in message news:fS81b.217008$o%2.100355@sccrnsc02... > > Anyone else seen an increase in connection attempts to port 1 in > the last 24 day or so? Any ideas what the reason could be? > > Aug 21 11:34:22 hostname kernel: Blocked TCP ports violation: > IN=eth0 OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 > SRC=12.214.202.22 DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 > TTL=115 ID=52040 DF PROTO=TCP SPT=2460 DPT=1 WINDOW=16384 > RES=0x00 SYN URGP=0 > > Aug 21 13:59:46 hostname kernel: Blocked TCP ports violation: > IN=eth0 OUT= MAC=00:10:5a:22:76:76:00:d0:58:c8:7e:54:08:00 > SRC=12.213.164.32 DST=1x.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 > TTL=116 ID=7050 DF PROTO=TCP SPT=3166 DPT=1 WINDOW=64240 RES=0x00 > SYN URGP=0 > > -- > Confucius: He who play in root, eventually kill tree. > Registered with The Linux Counter. http://counter.li.org/ > Slackware 9.0 Kernel 2.4.21 i686 (GCC) 3.3 > Uptime: 4 days, 12:04, 1 user, load average: 1.24, 1.49, 1.35 >
|
Linear Mode
