Security Incidents mailing list archives
RE: Port 3889 Traffic
From: Steven Trewick <STrewick () joplings co uk>
Date: Tue, 11 May 2004 15:32:08 +0100
Best way to ID it is to set up a netcat listener (or simmilar [1]), and see what you get. Fortunately this is fairly trivial to do. Netcat is available for nix and doze boxen from : http://www.atstake.com/research/tools/network_utilities/ You would use a command line something like : ' nc -l -p 3889 -o some_log_file.txt ', this will bind the netcat process to port 3889 and wait for an incoming connection, netcat will then produce a friendly hex/text output file containing any data that was sent over the link. If its some kind of fileshare, it will likely spew some kind of header info at you (al la Kaaza, eDonkey, etc), and if not, well, you will at least have something to analyse. This is how I ID'd a lot of the fileshareing related traffic that was turning up at the borders of my LAN. Obviously, you will need to allow the port through your firewall, (which you may be forgiveably uncomfortable with), and just as obviously, you will need to close that port again afterwards. It's not really possible to ID traffic (especially inbound TCP conexions which are being dropped) merely by port number, you need to see some sample traffic. (This may not help ID what the traffic *is*, initially, but will help you define what it *isn't*, which is usually at least as important.) HTH :-) [1] You could also use WormRadar I think, http://www.wormradar.com/id1.html, if you are running some version of windows.
-----Original Message----- From: Eric Ceradsky [mailto:eric.ceradsky () sbcglobal net] Sent: 08 May 2004 00:02 To: incidents () securityfocus com Subject: Port 3889 Traffic I've been seeing a lot of port 3889 traffic externally lately but haven't been able to dig up any known issues with that port.. Used to be one address and overnight tis quickly spawned to several. Brazil, US, UK, etc. Anyone have any ideas? May 7 17:43:48 DROP <INPUT:DE 195.132.138.140 -> X.X.X.X 4055:3889/tcp S ppp0 May 7 17:43:54 DROP <INPUT:DE 195.132.138.140 -> X.X.X.X 4055:3889/tcp S ppp0 May 7 17:45:31 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2402:3889/tcp S ppp0 May 7 17:45:34 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2402:3889/tcp S ppp0 May 7 17:45:40 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2402:3889/tcp S ppp0 May 7 17:45:52 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2402:3889/tcp S ppp0 May 7 17:46:09 DROP <INPUT:DE 12.5.121.129 -> X.X.X.X 3915:3889/tcp S ppp0 May 7 17:46:10 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2423:3889/tcp S ppp0 May 7 17:46:12 DROP <INPUT:DE 12.5.121.129 -> X.X.X.X 3915:3889/tcp S ppp0 May 7 17:46:13 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2423:3889/tcp S ppp0 May 7 17:46:18 DROP <INPUT:DE 12.5.121.129 -> X.X.X.X 3915:3889/tcp S ppp0 May 7 17:46:19 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2423:3889/tcp S ppp0 May 7 17:46:31 DROP <INPUT:DE 66.42.241.168 -> X.X.X.X 2423:3889/tcp S ppp0 May 7 17:47:01 DROP <INPUT:DE 195.132.138.140 -> X.X.X.X 4363:3889/tcp S ppp0 May 7 17:47:04 DROP <INPUT:DE 195.132.138.140 -> X.X.X.X 4363:3889/tcp S ppp0 May 7 17:47:10 DROP <INPUT:DE 195.132.138.140 -> X.X.X.X 4363:3889/tcp S ppp0 Thanks -------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------- --- Incoming mail checked for known viruses Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.680 / Virus Database: 442 - Release Date: 09/05/04
</code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Port 3889 Traffic, (continued)
- RE: Port 3889 Traffic Samuel Petreski (May 10)
- Re: Port 3889 Traffic kang (May 10)
- Re: Port 3889 Traffic KUIJPERS Jimmy (May 10)
- RE: Port 3889 Traffic Samuel Petreski (May 10)
- RE: Port 3889 Traffic Josh.Berry (May 10)
- Re: Port 3889 Traffic Francisco J. Pecorella R. (May 10)
- RE: Port 3889 Traffic Rob Shein (May 10)
- Re: Port 3889 Traffic Francisco J. Pecorella R. (May 10)
- RE: Port 3889 Traffic Meidinger Chris (May 10)
- RE: Port 3889 Traffic sk3tch (May 10)
- Re: Port 3889 Traffic Eric Ceradsky (May 11)
- RE: Port 3889 Traffic Dennis Schut (May 11)
- RE: Port 3889 Traffic Steven Trewick (May 11)