Unusual destination traffic on ports (34631,35514,34763,34867......

I started scheduling a TCPDUMP during the night because I noticed some
unusual traffic on my bandwidth charts. The destination is the same
server each time. Right below are the different names appended to the
originating server and below that is a dump of one of the sessions. Has
anyone seen this before... I have to get a report from the destination
server to see if this traffic is initializing a process.

myserver.domain.com.cplscrambler-in -> destination port 34631
myserver.domain.com.amt-esd-prot -> destination port 35514
myserver.domain.com.rmiactivation -> destination port 34763
myserver.domain.com.ftranhc -> destination port 34867
myserver.domain.com.lmsocialserver -> destination port 35017


00:00:03.744938 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: S 1082456982:1082456982(0) win 5840 1460,sackOK,timestamp 1581494984 0,nop,wscale
0>E..
^C..........
00:00:03.747972 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 1126436661 win 5840

E..4I_@.@.]c.HT.B.5..:..@...C$.5....z......

^C....%.
00:00:03.781196 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 1449 win 8688 1581495021 11937219>
E..4I`@.@.]b.HT.B.5..:..@...C$....!.i......

^C....%.
00:00:03.781204 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 1461 win 8688 1581495021 11937219>
E..4Ia@.@.]a.HT.B.5..:..@...C$....!.i......

^C....%.
00:00:03.789326 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: . ack 2897 win 11584 1581495029 11937219>
E..4Ib@.@.]`.HT.B.5..:..@...C$....-@X......

^C....%.
00:00:03.791980 IP myserver.domain.com.amt-esd-prot >
receiving.server.net.34514: F 0:0(0) ack 3432 win 14480

E..4Ic@.@.]_.HT.B.5..:..@...C$....8.K......

Thanks in advance

Re: Unusual destination traffic on ports (34631,35514,34763,34867......

On 31 Jan 2006, in the Usenet newsgroup comp.security.misc, in article
<1138763009.264964.46310@g14g2000cwa.googlegroups.com>, mostro wrote:

>I started scheduling a TCPDUMP during the night because I noticed some
>unusual traffic on my bandwidth charts.

Read the man page again, and configure tcpdump to get both sides of the
conversation. All that can be said is that "myserver.domain.com" initiated
a connection to "receiving.server.net", transferred some data, then shut
down.

>The destination is the same server each time.

That's nice - but tells us nothing. Is it one of your systems? Or does
the address point to "sekret.black_helicopters.int" ?

>Right below are the different names appended to the originating server

Those are 'user-land' ports (1082 to 1111), so the names are meaningless.

>and below that is a dump of one of the sessions. Has anyone seen this
>before... I have to get a report from the destination server to see if
>this traffic is initializing a process.

You could start by mentioning what operating system is on the originating
host. Several seconds after midnight - a CRON job? Depending on your
version of tcpdump, you might see if it has a -x option to dump the data
as hex and you may need to specify '-s 1500' to grab the entire packet.
Then read 'man 7 ascii' and see if the packet contents are text, and if
so, what they are saying.

Old guy

Re: Unusual destination traffic on ports (34631,35514,34763,34867......

This is how I have tcpdump scheduled in cron for tonight:

50 23 * * * /usr/sbin/tcpdump -c 150000 -w dumpfile -n -s 0 -i eth1 not
'port 80' and not 'port 21' and not 'port 23' and not 'port 53' and not
'ether proto \arp'

Your right, at first my dump looked like this:
50 23 * * * /usr/sbin/tcpdump -c 100000 -w dumpfile -n -s 1500 src
myserver.domain.com -i eth1
This obviously gave only half the story. I wasn't sure at first how
long the dump would last according to the packets I had specified so I
tried to limit the traffic. Plus, I only wanted to see if my server was
initiating the connection so I only specified the source. Tonight I
should get the full story with the top most configuration.

P.S. I eliminated all the port 80,23,21,53 and ARP traffic to get the
longest dump I could. I already know what goes on these ports (I pretty
sure ;). If it restricts the dump to much I will back off a little. But
this will shorten the dump time significantly because of the services
running on this machine.

These two servers are on the same network. At first I thought cronjob
too but there isn't anything running of significant value. The OS is
Suse 9.1 and the opposite server is Novell.

After I get the dumpfile I usually check the dump with "tcpdump -r
dumpfile -x -X -vv" , etc..... I use -A as well. I will post
tonight's dump tomorrow.

Thanks

Re: Unusual destination traffic on ports (34631,35514,34763,34867......

On 1 Feb 2006, in the Usenet newsgroup comp.security.misc, in article
<1138844464.096418.108100@g43g2000cwa.googlegroups.com>, mostro wrote:

>This is how I have tcpdump scheduled in cron for tonight:

OK

>Your right, at first my dump looked like this:
>50 23 * * * /usr/sbin/tcpdump -c 100000 -w dumpfile -n -s 1500 src
>myserver.domain.com -i eth1

OK - look at the time you started (23:50) - what ELSE is in the various
crontabs on the system. Assuming you are using Vixie-cron (rather than
anacron or fcron), check /etc/crontab (and /etc/anacrontab) as well as
the crontabs for _every_ user (which may be in /var/spool/cron/crontabs/).
Also see if there is anything in /etc/cron.d/*. The reason I'm pointing
there is your original post showed the packets at 3 seconds after
midnight. What's running then? You also want to check to see if you are
running an 'at' daemon - someone could have run an 'at' job, and scheduled
it for midnight.

Also, depending on what you see, you may want to take some snapshots of the
output of 'ps auxw' about that time. Anything unusual running?

>These two servers are on the same network. At first I thought cronjob
>too but there isn't anything running of significant value. The OS is
>Suse 9.1 and the opposite server is Novell.

Why would you be talking to Novell? Are you running windoze boxes? I
haven't had to worry about Novell since 3.12, and they were still defaulting
to IPX then. It looked as if there was some data transfer, and that you
initiated the connection. What is running on those 34631 - 35514 range
of ports on the Novell box?

How often do these boxes normally talk? You might get away with snarfing
all traffic between them, to see if anything on the Novell box triggered
something.

>After I get the dumpfile I usually check the dump with "tcpdump -r
>dumpfile -x -X -vv" , etc..... I use -A as well. I will post
>tonight's dump tomorrow.

I normally use just a nice wide terminal and look at the headers. At
least initially, looking at the headers should identify packets that you
will want to look at more closely.

Old guy