Lot of traffic with source port TCP/84

Anyone seen this before? Seems 2 distinct IP's (dynamic hosts on USA cable
networks) are poking at my firewall (Linux 2.4.27) several times an hour
from tcp/84 -> tcp/>1024.

No backdoors running on the system (verified with known good statically
compiled tools; nmap, netstat, tcpdump etc).

I'm not too worried about it, but I haven't seen this sort of traffic at my
site before - any gotcha's I haven't covered?

TIA,

James
--
"He is now rising from affluence to poverty."
-- Mark Twain

In article <317282-lc7.ln1@au-jgray.ocs.open-channels.com>, Centurion wrote:

>Anyone seen this before? Seems 2 distinct IP's (dynamic hosts on USA cable
>networks) are poking at my firewall (Linux 2.4.27) several times an hour
>from tcp/84 -> tcp/>1024.

1. What specific IPs?
2. What specifically does "poking at my firewall" mean? Are these SYN
packets - SYN/ACK, ACK/RST or what?
3. What specific times? Is there a pattern? Does it occur 24/7?

>No backdoors running on the system (verified with known good statically
>compiled tools; nmap, netstat, tcpdump etc).

On the firewall, run tcpdump and capture the packets to/from those
addresses. What is in the packets? What is in the headers?

>I'm not too worried about it, but I haven't seen this sort of traffic at my
>site before - any gotcha's I haven't covered?

Port 84 is "commonly used" by Common Trace Facility - a service registered
by Digital Equipment Corporation in the early 1990s. It seems to be a protocol
tracer. Try a search at google for 'Common Trace Facility' if you are
interested. I tend to doubt it has anything to do with your sightings.

Old guy

Moe Trin wrote:

> In article <317282-lc7.ln1@au-jgray.ocs.open-channels.com>, Centurion
> wrote:
>
>>Anyone seen this before? Seems 2 distinct IP's (dynamic hosts on USA
>>cable networks) are poking at my firewall (Linux 2.4.27) several times an
>>hour from tcp/84 -> tcp/>1024.
>
> 1. What specific IPs?

In case this is simply innocent I'll refrain from publishing the IP's for
the moment.

> 2. What specifically does "poking at my firewall" mean? Are these SYN
> packets - SYN/ACK, ACK/RST or what?

Mostly new connections without the SYN flag. My firewall rule "NEW_NOT_SYN"
catches them. In other words, there's no associated connection according
to the contrack module.

> 3. What specific times? Is there a pattern? Does it occur 24/7?

24/7 but comes in waves. I might get a burst of 20-50 spurious packets in
a 1 minute period (these bursts are random AFAICT), but on average it's
only a few (<5) a minute. Pretty constant though. The packets are small
and not chewing any appreciable bandwidth.

What raised my suspicions is this started the same moment (within seconds)
of a few sites spoofing the referrer when making connections to my web
server from the same network blocks as the traffic on tcp/84. I'm guessing
the spoofed referrer is to get listed in my stats pages....idiots, I've got
a robots.txt file that tells all the search engines to bugger off and don't
index the stats pages.

>>No backdoors running on the system (verified with known good statically
>>compiled tools; nmap, netstat, tcpdump etc).
>
> On the firewall, run tcpdump and capture the packets to/from those
> addresses. What is in the packets? What is in the headers?

That's the weird part, the paylod is almost always a string of NULL's :-/
I'm thinking a string of NULL's coould be some sort of buffer overflow
attack, but the packets are tiny (<64bytes payload usually). I've seen TCP
pings that are bigger.

>>I'm not too worried about it, but I haven't seen this sort of traffic at
>>my site before - any gotcha's I haven't covered?
>
> Port 84 is "commonly used" by Common Trace Facility - a service registered
> by Digital Equipment Corporation in the early 1990s.

Yeh, I googled around before asking in here - didn't find any known root
kits, trojans or viruses that generate the sort of traffic I'm seeing.
Just thought I'd throw it out there and see if other people had seen
anything similar. Thanks for the suggestions anyway.

Cheers,

James
--
Democracy is a government where you can say what you think even if you don't
think.

In article <937d82-g66.ln1@gandalf.ocs.open-channels.com>, Centurion wrote:

>Moe Trin wrote:

>> 2. What specifically does "poking at my firewall" mean? Are these SYN
>> packets - SYN/ACK, ACK/RST or what?
>
>Mostly new connections without the SYN flag. My firewall rule "NEW_NOT_SYN"
>catches them. In other words, there's no associated connection according
>to the contrack module.

It's not uncommon to see previous valid connections stall for some reason,
and when the connection resumes, the contrack module has timed them out
and forgotten about them. But that assumes that there is some valid reason
for you to have been talking to port 84 on the remote in the first place.
This should show up in the tcpdump.

>What raised my suspicions is this started the same moment (within seconds)
>of a few sites spoofing the referrer when making connections to my web
>server from the same network blocks as the traffic on tcp/84. I'm guessing
>the spoofed referrer is to get listed in my stats pages....idiots, I've got
>a robots.txt file that tells all the search engines to bugger off and don't
>index the stats pages.

You're in Oz, and the hits are coming from the US. Is there any reason
that your website has to be visible here - or at least to those networks?
Are you selling/servicing stuff where there might be potential/actual
customers here?

>That's the weird part, the paylod is almost always a string of NULL's :-/
>I'm thinking a string of NULL's coould be some sort of buffer overflow
>attack, but the packets are tiny (<64bytes payload usually). I've seen TCP
>pings that are bigger.

OK - what about the headers? TTL, sequence numbers, MSS - that kind of
thing. You might consider adding a passive fingerprinting tool like p0f
(http://lcamtuf.coredump.cx/p0f.shtml) and see what it can see.

>Yeh, I googled around before asking in here - didn't find any known root
>kits, trojans or viruses that generate the sort of traffic I'm seeing.

It doesn't _sound_ like anything I've ever seen before.

Old guy