LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 09-09-2003, 10:25 PM   #1
WannaLearnLinux
Member
 
Registered: May 2003
Location: California
Distribution: Slax
Posts: 262

Rep: Reputation: 30
Question UDP port 5353


Does anyone please know what is the UDP 5353 port ?

I couldn't find it at Google,even Snort and Neohapsis port scanners won't find it.


Thanks a lot
 
Old 09-10-2003, 07:14 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,516
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Can't find any IANA listed service for UDP/5353.
Please post your IDS or fw log or tcpdump or anything else releated.
 
Old 09-10-2003, 12:28 PM   #3
tobyl
Member
 
Registered: Apr 2003
Location: uk
Distribution: slackware current
Posts: 743

Rep: Reputation: 48
Appears to be a multicast service used by Mac OS X.
Could be used for p2p networking
Try searching for Rendevous and ichat
I found no exploits relating to this port
 
Old 09-10-2003, 08:59 PM   #4
WannaLearnLinux
Member
 
Registered: May 2003
Location: California
Distribution: Slax
Posts: 262

Original Poster
Rep: Reputation: 30
Unhappy sorry

Thanks guys for reply,but.

UnSpawn: I'm sorry don't know what you want from me.I'm newbie.Just installed firestarter few days ago.And this port is showing like once a day or so.It is from same IP as it goes from router.

netstat -l :

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 224.0.0.251:5353 *:*
udp 0 0 192.168.254.44:5353 *:*
udp 0 0 localhost:5353 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 192.168.254.44:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*

it is here again and even Firestar won't see it:

192.168.254.44 - is router i guess

Some "localhost" i don't know about.

 
Old 09-10-2003, 10:34 PM   #5
WannaLearnLinux
Member
 
Registered: May 2003
Location: California
Distribution: Slax
Posts: 262

Original Poster
Rep: Reputation: 30
Angry what the hell.....

it is 8pm and this UDP at port 5353 "attacks" again in 8:13 and then 8:17 in my Firestarter .
Don't have any idea what it should be.

this can't be from ISP in 8pm,i guess.So what is it?

Looks like i need to start reading about IPtables.I've read a good about it here.
 
Old 09-10-2003, 11:58 PM   #6
WannaLearnLinux
Member
 
Registered: May 2003
Location: California
Distribution: Slax
Posts: 262

Original Poster
Rep: Reputation: 30
Lightbulb to: tobyl

Yes man,

you were right.I found it at Grc.com that this port is using "multicast DNS" .I found a bit at http://www.multicastdns.org/ .

I'll go check your URLs.

Thanx
 
Old 09-11-2003, 02:18 PM   #7
tobyl
Member
 
Registered: Apr 2003
Location: uk
Distribution: slackware current
Posts: 743

Rep: Reputation: 48
I have not used firestarter although I have read good things about it.
If you have got it set up correctly then the listening ports you have listed with netstat should be filtered ok, however I would recommend that you find out how services on your distro are started, and stop the ones you dont require. I believe you can do this from the control centre in Mandrake. Try disabling routed, xinetd and other stuff that is not critical, run netstat again, you should cut down the number of servers 'listening'.
Also re-read the firestarter config files and make sure it is running and set up ok. You really dont want that rpc stuff showing up in netstat , you have no doubt seen the problems windows machines have been suffering due to rpc vulnerabilities (blaster).

If firestarter is mentioning this port in the logs then it is probably blocking it, but without seeing the logs I cant tell.

This is what unspawn is saying - without specific info, it is impossible to say what exactly is going on. fw log is just that, the firewall log. IDS is intrusion detection system which i doubt you have installed. tcpdump is something you can learn about after you have got the basics out of the way.

tobyl
 
Old 09-11-2003, 06:48 PM   #8
WannaLearnLinux
Member
 
Registered: May 2003
Location: California
Distribution: Slax
Posts: 262

Original Poster
Rep: Reputation: 30
ok

sorry I'm newbie and i think this is firewall log i saved last time.

Wierd is that even Firestarter wont see it today and it is here again,but NETUDP instead of UDP :

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:https *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
netudp 0 0 224.0.0.251:5353 *:*
udp 0 0 192.168.254.44:5353 *:*
udp 0 0 localhost:5353 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 192.168.254.44:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp

and there is a log :

time:Sep 10 13:50:31 in: out:eth0 port:5353 source:192.168.254.44 dest:224.0.0.251 len:64 tos:0x00 protocol:udp service:unknown
time:Sep 10 13:51:05 in: out:eth0 port: source:192.168.254.44 dest:224.0.0.251 len:32 tos:0x00 protocol:igmp service:unknown
time:Sep 10 13:51:05 in: out:eth0 port: source:192.168.254.44 dest:224.0.1.1 len:32 tos:0x00 protocol:igmp service:unknown
time:Sep 10 13:50:56 in: out:eth0 port: source:192.168.254.44 dest:224.0.0.251 len:32 tos:0x00 protocol:igmp service:unknown

I'll look for other things might help you wanted.

Just
 
Old 08-13-2006, 02:20 PM   #9
devinnull
Member
 
Registered: Dec 2005
Location: UT-USA
Distribution: RHEL 3/4 Servers - FC 5 x64 on the desktop - Edubuntu for the kiddies
Posts: 53

Rep: Reputation: 15
I know this post is real old but it seemed the best out of my search results...
I hope on a related note, I noticed that port 5353 is open by defualt in my IPchains config for the IP 224.0.0.251. (FC5 is installed)One of the IPs listed by the OP it seems but ARIN's whois doesn't list much at all for the address.

Anyone have any ideas of why it would be open or why the IP is trusted by defualt?

Thanks!

/dev
 
Old 08-13-2006, 03:02 PM   #10
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
That's a multicast address and would be used by something like iTunes (or AirTunes?) to see if other users are available to share music. I don't use it myself, but it's not malicious - based on what I've read at:
http://www.multicastdns.org/
http://docs.info.apple.com/article.html?artnum=107174
http://www.networksorcery.com/enp/pr.../multicast.htm
http://www.oreillynet.com/etel/blog/..._rendezvo.html
http://www.tldp.org/HOWTO/Multicast-HOWTO.html#toc8
http://www.ifelix.co.uk/tech/2005.html
 
Old 01-02-2007, 08:02 PM   #11
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
I think the Gnome desktop environment itself is using mDNS. For WebDAV and SFTP shares in nautilus probably.

I had to open port 5353 to get network browsing working properly in FC6 anyway.

Last edited by Crito; 01-02-2007 at 08:04 PM.
 
Old 01-02-2007, 08:36 PM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Just a simple FYI. The first place to look for what a port is normally for is your /etc/services file:

mdns 5353/tcp # Multicast DNS
mdns 5353/udp # Multicast DNS
# Stuart Cheshire <cheshire@multicastdns.org>
mdnsresponder 5354/tcp # Multicast DNS Responder IPC
mdnsresponder 5354/udp # Multicast DNS Responder IPC
# Stuart Cheshire <mdnsresponder-ipc@multicastdns.org

So, looking for multicastdns.org might provide a good reference.

You may have realized that already.

---

The source could even be a network printer.

A google search for "224.0.0.251" turned up both iTunes and the SoundBridge M1001.

Last edited by jschiwal; 01-02-2007 at 08:48 PM.
 
Old 12-19-2007, 01:02 AM   #13
mandrin
LQ Newbie
 
Registered: Dec 2007
Location: Tokyo
Posts: 1

Rep: Reputation: 0
Thumbs up Support

All,

Just built a CENTOS 5 box, and while trying to open ports I noticed this UDP port 5353 was open, pointing to the same IP as noted.

After running:
service ip6tables stop
chkconfig ip6tables off

I also noticed that the UDP port is allowed in the ip6tables config. After turning off the ip6tables, and commenting out the iptables line, it is now gone.

-Mandrin
 
Old 02-12-2008, 01:31 AM   #14
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Debian 4.0 (Etch), Debian 5.0 (Lenny), Ubuntu 8.04
Posts: 297

Rep: Reputation: 32
Very interesting little port

I've been having a very annoying problem with this port.

I've been using iptables for a while and haven't made any changes to iptables script I use. But it seems to depend what I install (packages) on my debian system.

For some reason every once and a while (depending) I get these damn pop-ups (no real pop-ups) of text (about two lines worth) telling me that the input packet was rejected and where it came from and where it was going to.

It keeps coming from my opensuse box udp port 1440 and going to my debian box udp port 5353.

very annoying.

I'll post the thing when I go back to my debian box... few minutes...
 
Old 02-12-2008, 01:36 AM   #15
checkmate3001
Member
 
Registered: Sep 2007
Location: Folsom, California
Distribution: Debian 4.0 (Etch), Debian 5.0 (Lenny), Ubuntu 8.04
Posts: 297

Rep: Reputation: 32
kernel: INPUT packet died: IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:50:fc:22:d7:52:08:00 SRC=192.168.0.151 DST=224.0.0.251 LEN=55 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=1467 DPT=5353 LEN=35


I can get anywhere to 30 of these a minute (which is impossible to deal with when editing text files) to maybe one or two a day... really odd.

also source port seems to increment by 1 each time.
192.168.0.151 is opensuse box
192.168.0.121 is debian box

Last edited by checkmate3001; 02-12-2008 at 01:37 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
telneting to a udp port. juanb Linux - Security 3 03-06-2013 01:30 PM
udp port 1024 frgtn Linux - Security 2 03-27-2005 07:10 AM
UDP Port 1697 RandomIZE Linux - Networking 5 03-23-2004 03:47 PM
closing port 68/udp? antik Linux - Security 1 09-26-2003 12:26 PM
How do I open up a UDP port? Dirt Linux - Networking 9 06-06-2003 05:50 PM


All times are GMT -5. The time now is 11:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration