Output packets on port 113

Output packets on port 113
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Output packets on port 113 andre 07-06-2007
Posted by andre on July 6, 2007, 4:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello all,

I manage a debian etch, with only official packets. External accessible services
are :
- a web server Apache, on port 80.
- a mail box on port smtp (exim).
- a ssh server, but accessible only from one fixed IP address.

My firewall log seems to drop output packets on port 113 :
Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0
SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00
SYN URGP=0

The beginning of a whois result is :
inetnum: 122.116.0.0 - 122.117.255.255
netname: HINET-NET
country: TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
...
And I'm sure to have no relation with Taiwan...

Somebody here knowns which service send those packets, and why ?

Thanks.
Andre.

Posted by Sebastian G. on July 6, 2007, 6:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
andre wrote:

> Hello all,
>
> I manage a debian etch, with only official packets. External accessible
services are :
> - a web server Apache, on port 80.
> - a mail box on port smtp (exim).
> - a ssh server, but accessible only from one fixed IP address.
>
> My firewall log seems to drop output packets on port 113 :
> Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0
SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00
SYN URGP=0
>
> The beginning of a whois result is :
> inetnum: 122.116.0.0 - 122.117.255.255
> netname: HINET-NET
> country: TW
> descr: CHTD, Chunghwa Telecom Co.,Ltd.
> descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
> descr: Taipei Taiwan 100
> ...
> And I'm sure to have no relation with Taiwan...
>
> Somebody here knowns which service send those packets, and why ?


exim, because authd is part of the smtp procedure.

Posted by Ansgar -59cobalt- Wiechers on July 6, 2007, 7:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I manage a debian etch, with only official packets. External accessible
services are :
> - a web server Apache, on port 80.
> - a mail box on port smtp (exim).
> - a ssh server, but accessible only from one fixed IP address.
>
> My firewall log seems to drop output packets on port 113 :
> Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0
SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00
SYN URGP=0
>
> The beginning of a whois result is :
> inetnum: 122.116.0.0 - 122.117.255.255
> netname: HINET-NET
> country: TW
> descr: CHTD, Chunghwa Telecom Co.,Ltd.
> descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
> descr: Taipei Taiwan 100
> ...
> And I'm sure to have no relation with Taiwan...
>
> Somebody here knowns which service send those packets, and why ?

cobalt@chrome:~ $ grep 113/ /etc/services
auth 113/tcp authentication tap ident
cobalt@chrome:~ $ _

google://ident

You can safely ignore these packets, even more if you don't haven an
identd running.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Posted by andre on July 7, 2007, 5:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks.
André.
Ansgar -59cobalt- Wiechers wrote:
>> I manage a debian etch, with only official packets. External accessible
services are :
>> - a web server Apache, on port 80.
>> - a mail box on port smtp (exim).
>> - a ssh server, but accessible only from one fixed IP address.
>>
>> My firewall log seems to drop output packets on port 113 :
>> Jul 6 01:04:35 sinfo kernel: Firewall:Drop output:IN= OUT=eth0
SRC=XX.XXX.XX.XXX DST=122.116.17.133 LEN=60 TOS=0x00
>> PREC=0x00 TTL=64 ID=59847 DF PROTO=TCP SPT=35914 DPT=113 WINDOW=5840 RES=0x00
SYN URGP=0
>>
>> The beginning of a whois result is :
>> inetnum: 122.116.0.0 - 122.117.255.255
>> netname: HINET-NET
>> country: TW
>> descr: CHTD, Chunghwa Telecom Co.,Ltd.
>> descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
>> descr: Taipei Taiwan 100
>> ...
>> And I'm sure to have no relation with Taiwan...
>>
>> Somebody here knowns which service send those packets, and why ?
>
> cobalt@chrome:~ $ grep 113/ /etc/services
> auth 113/tcp authentication tap ident
> cobalt@chrome:~ $ _
>
> google://ident
>
> You can safely ignore these packets, even more if you don't haven an
> identd running.
>
> cu
> 59cobalt

Similar ThreadsPosted
Rogue Packets on Port 1027 July 20, 2007, 3:36 pm
iptables output log April 28, 2007, 5:53 am
Unexpected traceroute output over VPN November 1, 2006, 8:58 am
UDP packets are dropped by the PIX December 22, 2005, 4:57 pm
strange packets from 192.168.1.126 February 21, 2008, 12:54 pm
Suspicious Packets Using Yproxy August 3, 2004, 9:13 pm
Strange ICMP packets September 15, 2005, 10:53 pm
New type of ICMP packets October 26, 2005, 11:06 am
Should I block Fragmented IP Packets? November 19, 2005, 9:02 am
Allow ICMP packets through Firewall May 8, 2006, 2:18 pm

The site map in XML format XML site map

Contact Us | Privacy Policy