Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Earlier I was posting a question here, and a little after I was done here and off somewhere else, firestarter peeped out that linuxquestions.org has tried to make a tcp connection on port 33270, which it identifies as associated with the trinity worm.
It was just the one hit... but my usual tactic is to tell firestarter to block hosts that arouse the firewall's interest. I didn't block linuxquestions.org because I frankly don't know that I trust my understanding of what firestarter is telling me anymore.
Any comments/insight?
linuxquestions.org was briefly infected with trinity, but it was caught and fixed?
an infected computer somehow spoofed linuxquestions.org's ip?
it was just pure coincidence that linuxquestions.org was trying to perform some perfectly legitimate business on port 33270, but firestarter couldn't tell the difference?
I don't believe my computer is infected with trinity, since I have done the checks recommended on trinity information pages, and the results were negative.
I browse with mozilla firebird 0.7, (in case it has some cookie handling problem I don't know about that allowed some other infected website to pick a linuxquestions.org cookie to spoof its address)
anyway, your guidance and replies are appreciated..
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
it was just pure coincidence that linuxquestions.org was trying to perform some perfectly legitimate business on port 33270, but firestarter couldn't tell the difference?
Bingo.
Users are allowed to open outbound connections from any port over 1023. Remember there's an IP quad involved in every connection: source IP, source port, destination IP, destination port. You have to allocate a local port in order to connect to a remote port. SFAIK Linux opens ports incrementally, so you must have had your computer on for a long time to get up to the 32K range.
Now, combine this with the fact that many "backdoor" programs use high ports (so as not to arouse suspicion, or because they aren't running as root) and you can see where the problem comes in. Some IDSs are configured to set off alarms based only on port numbers. If the port happens to be a high port, well... eventually someone is going to open a connection and use the port.
SFAIK Linux opens ports incrementally, so you must have had your computer on for a long time to get up to the 32K range.
Actually, that was a rather brief session (about a total of 45 minutes from the time I powered up until I powered down again, with the hit happening right before I powered down), and perhaps half of that time I was reading man pages on mplayer or reading feature lists for other audio file players.
Further, the hit on 33270 didn't happen (or at least wasn't reported) until ten or twenty minutes after I had stopped browsing on linuxquestions.org.
Any advice on some on-topic reading material for how linux is openning ports? In my ignorance, I would expect that linux would re-use lower ports once they were freed up... and it seems strange to me that I would have 32k ports open/in use at once. Just looking to learn from this stuff...
I've had the same thing happen 3 times now after accessing this site...also using Firestarter, happens after leaving the page, 1.5 hours uptime... My box is clean of DDoS tools; I made double sure of that... it seems rather strange to me as well.
I just ran a packet sniffer looking for any packets with port number of 33270 for over 1.5 hours after connecting to LQ and got nothing. It's highly likely that you're getting a false-alarm. Anytime you have a "dumb"-scan detector that simply sends an alert whenever certain port numbers are used in a packet, you're likely to get lots of false alarms. While that port number is utilized as a Trinity default, it also can be used by any other application that uses dynamic port assignment. Mozilla as well as other browsers will open a new source port for every connection you make, so sooner or later it will use 33270. I'm also pretty sure that Mozilla starts using ports that are somewhere near the 30000 range.
Yes, I expected a false alarm as well, but after the third time I was getting suspicious...did a search on this site and found this thread with exactly the same issue.
Thanks for the info, and apologies for sounding paranoid,
regards, Netcrawl.
There is a default setting in /proc/sys/net/ipv4/ip_local_port_range that for linux boxes should list 2 numbers (for me 1024 and 29999). It will start assigning at these numbers and increment from there. However, depending on your system (I believe on the amount of memory) it will change the one default to 32768. So it wouldn't really take much to reach 33270 from that point.
apologies for sounding paranoid
NP, you can never be too paranoid in a security forum, right?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.