Output packets on port 113
Output packets on port 113
am 06.07.2007 10:58:17 von andre rodier
Hello all,
I manage a debian etch, with only official packets. External accessible services are :
- a web server Apache, on port 80.
- a mail box on port smtp (exim).
- a ssh server, but accessible only from one fixed IP address.
My firewall log seems to drop output packets on port 113 :
Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0 SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0
The beginning of a whois result is :
inetnum: 122.116.0.0 - 122.117.255.255
netname: HINET-NET
country: TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
....
And I'm sure to have no relation with Taiwan...
Somebody here knowns which service send those packets, and why ?
Thanks.
Andre.
Re: Output packets on port 113
am 06.07.2007 12:53:05 von Sebastian Gottschalk
andre wrote:
> Hello all,
>
> I manage a debian etch, with only official packets. External accessible services are :
> - a web server Apache, on port 80.
> - a mail box on port smtp (exim).
> - a ssh server, but accessible only from one fixed IP address.
>
> My firewall log seems to drop output packets on port 113 :
> Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0 SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0
>
> The beginning of a whois result is :
> inetnum: 122.116.0.0 - 122.117.255.255
> netname: HINET-NET
> country: TW
> descr: CHTD, Chunghwa Telecom Co.,Ltd.
> descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
> descr: Taipei Taiwan 100
> ...
> And I'm sure to have no relation with Taiwan...
>
> Somebody here knowns which service send those packets, and why ?
exim, because authd is part of the smtp procedure.
Re: Output packets on port 113
am 06.07.2007 13:36:32 von Ansgar -59cobalt- Wiechers
andre wrote:
> I manage a debian etch, with only official packets. External accessible services are :
> - a web server Apache, on port 80.
> - a mail box on port smtp (exim).
> - a ssh server, but accessible only from one fixed IP address.
>
> My firewall log seems to drop output packets on port 113 :
> Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0 SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0
>
> The beginning of a whois result is :
> inetnum: 122.116.0.0 - 122.117.255.255
> netname: HINET-NET
> country: TW
> descr: CHTD, Chunghwa Telecom Co.,Ltd.
> descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
> descr: Taipei Taiwan 100
> ...
> And I'm sure to have no relation with Taiwan...
>
> Somebody here knowns which service send those packets, and why ?
cobalt@chrome:~ $ grep 113/ /etc/services
auth 113/tcp authentication tap ident
cobalt@chrome:~ $ _
google://ident
You can safely ignore these packets, even more if you don't haven an
identd running.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Re: Output packets on port 113
am 07.07.2007 11:15:18 von andre rodier
Thanks.
André.
Ansgar -59cobalt- Wiechers wrote:
> andre wrote:
>> I manage a debian etch, with only official packets. External accessible services are :
>> - a web server Apache, on port 80.
>> - a mail box on port smtp (exim).
>> - a ssh server, but accessible only from one fixed IP address.
>>
>> My firewall log seems to drop output packets on port 113 :
>> Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0 SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
>> PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0
>>
>> The beginning of a whois result is :
>> inetnum: 122.116.0.0 - 122.117.255.255
>> netname: HINET-NET
>> country: TW
>> descr: CHTD, Chunghwa Telecom Co.,Ltd.
>> descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
>> descr: Taipei Taiwan 100
>> ...
>> And I'm sure to have no relation with Taiwan...
>>
>> Somebody here knowns which service send those packets, and why ?
>
> cobalt@chrome:~ $ grep 113/ /etc/services
> auth 113/tcp authentication tap ident
> cobalt@chrome:~ $ _
>
> google://ident
>
> You can safely ignore these packets, even more if you don't haven an
> identd running.
>
> cu
> 59cobalt