What is TCP port 0 used for? I've searched around and can find nothing that makes sense to me aside from a programmer trick that I don't understand (I'm not a programmer). Inour MARS appliance, it shows up as TCP SYN Host sweep On Same Dest Port. The source addresses are ours, there are a lot of them. Source port varies, but destination is TCP port 0 on a wide variety of destinations. Timing varies, some are spread out, others are within the same second. The IPS signature triggered is NR-3030/0. I put wireshark out there looking for TCP port 0, I don't see anything. Anybody seen this before?
My (limited) understanding is that it's kind of like a wildcard search setting.
If something tries to bind to Port 0, it will in fact bind to the next available open port above 1023.
Don't know if it's good or bad in your case. It actually sounds benign but annoying and that may be enough cause for further investigation.
Thanks for your reply.
That matches some of what I've found. What still baffles me is that, according to what I've found, it's not supposed to be visible. Indeed, my sniffer doesn't see it. But why is my IPS going moderately nuts about it?
Time for a TAC case, I think.
I see very similar behavior on my PIX. One inside host randomly attempts to access IP addresses on the net, I have no idea what causes this. example from syslog:
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 188.8.131.52/0
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 184.108.40.206/0
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 220.127.116.11/0
500004: Invalid transport field for protocol=17, from 192.168.3.102/1369 to 18.104.22.168/0
I'm up to date on A/V and OS patches (xp pro) I've also scanned for rootkits and spyware - PC comes up clean every time. I did find an article that referenced a TCP port scan attempt but if this is the case why are there no logs referencing the attacker from OUTSIDE?
Has anyone else encountered such behavior?
Given that pix syslog message (500004), which writes anytime there is a source or destination port equalt to zero for tcp ot udp, 192.168.3.102 is sending UDP packets to random hosts with the dst port set to zero. 22.214.171.124 has an interesting whois record.
What is 192.168.3.102? Just a workstation?
Might be time to drop a sniffer out in fron of that box and see what its doing.
Yes, a workstation. The list of IPs where an attempt to connect on port "0" is reported as seemingly random, everything from IP addresses in Korea, Japan to Germany. As a precautionary step I wrote an ACL to block all IP traffic outbound to the list of addresses (now about 13) but I've never seen any hits on the ACL. Also, the same 10-12 lines are written to the syslog (about every 2 days) always the same destination hosts, but never are the destination IPs seen as a DENY connection, or accessed resource X on those destination IPs in my syslog. I'm not sure what my next step should be, if I were to setup Ethereal and span the port this host connects to I'm not sure I'd see any interesting traffic for a number of days. In your opinion what could be going on with this host? Are there any tools you could recommend I use to scan for rootkits/spyware etc? SpyBot Search and Destroy turns up nothing, along with RootKit Revealer.
Any help is greatly appreciated,
Yes, I am getting very similar error messages from VPN clients now. It started last week. I have complaints about the users getting disconnected from the VPN, and the times that they complain about correspond to when I see them hit my PIX on port 0 with protocol 17. Have you figured anything out with those messages?
Protocol 17 is UDP, I think.
I was able to deploy CSA in test mode on the desktop in question, within just a few minutes I checked the CSA server and it's telling me there was a rootkit detected. - How can I go about disabling the rootkit?
Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality
Module System Hardening Module [W, V5.0 r176]
? Event details:
Event Text Kernel functionality has been modified by the module
Event Time 2/25/2007 10:30:50 AM
PString detected rootkit as Untrusted
args(4) 8b542420528b542420a12ca1bfe1528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090
time 40.9 (seconds since boot)
EvPString2 8b542420 528b5424 20a12ca1 bfe1528b
5424208b 08528b54 2420528b 54242052
8b542420 528b5424 20528b54 24205250
ff1183c4 24c22000 90909090 90909090
FlattenedForm (t-1172417450 n-468750000 z--18000 sm-112 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-
Thanks for the reply.
That's a little over my head, but looking at the signature, Alert Frequency, Summary Mode is fire all, and the summary key is attacker address. Nothing about the port. Is this what you're referring to?