Dimitris Chontzopoulos wrote:
>
> OK, I've used the wrong term. I see traffic from a.b.c.d to
> 255.255.255.255 for Service 60001. But I think that the point is not
> whether or not "Broadcasting" is a correct term; this is why I put it in
> brackets in the first place ("Broadcasting"). The point is what this
> traffic really is about. I apologise if I've used the wrong term or
> terminology or whatever. So...
>
> Anyone knows of some other list(s) containing "Well-Known", "Known",
> "Unknown", "Trojan" or whatever TCP/UDP ports?
> Anyone knows of what application might be using this (60001 TCP) port?
No, that's exactly what I meant. IP to 255.255.255.255 on 60001/tcp is
bogus. You can't do broadcast TCP. So, in my opinion, this is, from most
probable to least probable,
1) Broken, non-malicious traffic.
2) Broken traffic from buggy malware.
3) Intentionally weird malicious traffic.
Where (1) is wa-ay more probable than (2) which is also wa-ay more probable
than (3). Why is (3) so improbable? Since this is a local broadcast, it
can never leave the local network. Pretty silly behavior for a trojan trying
to phone home or do something similar. It isn't likely a way for a worm
to try to infect other machines on the LAN since any sane TCP/IP stack will
drop broadcast TCP packets without a second look before there is a chance
to do any damage. The only possibe malicious use would be for a way for
trojans (trojans that have infected kernel-land, not just user-land,
by the way) to talk to one another on the same LAN.
My money is on (1). It's a corrollary of a good philosophy for life, "Never
attribute to malice what can just as easily attribute to stupidity," that one,
"Never assume weird network traffic is hostile when it can just as easily
be the product of buggy software."
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Crist
> Clark
> Sent: Wednesday, June 25, 2003 8:57 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] A little off Topic - Unknown Port
>
> Dimitris Chontzopoulos wrote:
> >
> > Hello gurus of the list,
> >
> > For some time now I have one of my servers "Broadcasting" to Port
> 60001
> > TCP.
>
> You can't broadcast or multicast TCP. That traffic is junk. Something
> is broken.
> --
> Crist J. Clark crist.clark AT globalstar DOT com
> Globalstar Communications (408) 933-4387
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above.
> If the reader of this e-mail is not the intended recipient, or the
> employee or agent responsible to deliver it to the intended recipient,
> you are hereby notified that any review, dissemination, distribution or
> copying of this communication is strictly prohibited. If you have
> received this e-mail in error, please contact postmaster AT globalstar DOT com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
--
Crist J. Clark crist.clark AT globalstar DOT com
Globalstar Communications (408) 933-4387
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact postmaster AT globalstar DOT com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
