Security Incidents mailing list archives

RE: Port 3889 Traffic

From: Steven Trewick <STrewick () joplings co uk>
Date: Tue, 11 May 2004 15:32:08 +0100



Best way to ID it is to set up a netcat listener (or simmilar [1]),
and see what you get.

Fortunately this is fairly trivial to do.

Netcat is available for nix and doze boxen from :
http://www.atstake.com/research/tools/network_utilities/

You would use a command line something like :

' nc -l -p 3889 -o some_log_file.txt ', this will bind the netcat
process to port 3889 and wait for an incoming connection, netcat
will then produce a friendly hex/text output file containing any
data that was sent over the link.

If its some kind of fileshare, it will likely spew some kind of header
info at you (al la Kaaza, eDonkey, etc), and if not, well, you will at
least have something to analyse.

This is how I ID'd a lot of the fileshareing related traffic that was
turning up at the borders of my LAN.

Obviously, you will need to allow the port through your firewall,
(which you may be forgiveably uncomfortable with), and just as
obviously, you will need to close that port again afterwards.

It's not really possible to ID traffic (especially inbound TCP
conexions which are being dropped) merely by port number, you
need to see some sample traffic.  (This may not help ID what the
traffic *is*, initially, but will help you define what it *isn't*,
which is usually at least as important.)


HTH :-)


[1] You could also use WormRadar I think, http://www.wormradar.com/id1.html,
if you are running some version of windows.

-----Original Message-----
From: Eric Ceradsky [mailto:eric.ceradsky () sbcglobal net]
Sent: 08 May 2004 00:02
To: incidents () securityfocus com
Subject: Port 3889 Traffic


I've been seeing a lot of port 3889 traffic externally
lately but haven't been able to dig up any known
issues with that port.. Used to be one address and
overnight tis quickly spawned to several. Brazil, US,
UK, etc. Anyone have any ideas?

May  7 17:43:48   DROP <INPUT:DE  195.132.138.140 ->
X.X.X.X    4055:3889/tcp S  ppp0
May  7 17:43:54   DROP <INPUT:DE  195.132.138.140 ->
X.X.X.X    4055:3889/tcp S  ppp0
May  7 17:45:31   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2402:3889/tcp S  ppp0
May  7 17:45:34   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2402:3889/tcp S  ppp0
May  7 17:45:40   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2402:3889/tcp S  ppp0
May  7 17:45:52   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2402:3889/tcp S  ppp0
May  7 17:46:09   DROP <INPUT:DE  12.5.121.129    ->
X.X.X.X    3915:3889/tcp S  ppp0
May  7 17:46:10   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2423:3889/tcp S  ppp0
May  7 17:46:12   DROP <INPUT:DE  12.5.121.129    ->
X.X.X.X    3915:3889/tcp S  ppp0
May  7 17:46:13   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2423:3889/tcp S  ppp0
May  7 17:46:18   DROP <INPUT:DE  12.5.121.129    ->
X.X.X.X    3915:3889/tcp S  ppp0
May  7 17:46:19   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2423:3889/tcp S  ppp0
May  7 17:46:31   DROP <INPUT:DE  66.42.241.168   ->
X.X.X.X    2423:3889/tcp S  ppp0
May  7 17:47:01   DROP <INPUT:DE  195.132.138.140 ->
X.X.X.X    4363:3889/tcp S  ppp0
May  7 17:47:04   DROP <INPUT:DE  195.132.138.140 ->
X.X.X.X    4363:3889/tcp S  ppp0
May  7 17:47:10   DROP <INPUT:DE  195.132.138.140 ->
X.X.X.X    4363:3889/tcp S  ppp0

Thanks

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------

---
Incoming mail checked for known viruses
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.680 / Virus Database: 442 - Release Date: 09/05/04



</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Port 3889 Traffic, (continued)
- - RE: Port 3889 Traffic Samuel Petreski (May 10)
    - Re: Port 3889 Traffic kang (May 10)
  - Re: Port 3889 Traffic KUIJPERS Jimmy (May 10)
- RE: Port 3889 Traffic Josh.Berry (May 10)
  - Re: Port 3889 Traffic Francisco J. Pecorella R. (May 10)
    - RE: Port 3889 Traffic Rob Shein (May 10)
- RE: Port 3889 Traffic Meidinger Chris (May 10)
- RE: Port 3889 Traffic sk3tch (May 10)
- Re: Port 3889 Traffic Eric Ceradsky (May 11)
- RE: Port 3889 Traffic Dennis Schut (May 11)
- RE: Port 3889 Traffic Steven Trewick (May 11)