Security Incidents mailing list archives
High port UDP probe?
From: damian () ITACTICS COM (Damian Gerow)
Date: Tue, 25 Apr 2000 09:29:05 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This came up in our firewall: Apr 24 08:48:01 <hostname> kernel: Packet log: unserved DENY eth0 PROTO=UDP 149.225.113.35:31790 xxx.xxx.xxx.xxx:31789 L=29:9 S=0x00 I=64598 T=115 What concerns me is both the destination port and the packet length. I'm assuming that L=29:9 means 29 for the whole packet size, and 9 is the UDP packet size. Take away the UDP header, leaves you 1? Am I reading this correctly? -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOQWdTPWPEBDMsfC4EQIuBgCeKxblsdJusAwOAvyZOqKiIKr7mHsAn0pO 1er8TOV2FYTt4ZdKsGTdRz/q =Q7od -----END PGP SIGNATURE-----
Current thread:
- Re: BIND 8.2.2.-P3, 0-day exploit, (continued)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)
- Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
- Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
- Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
- Port 137 scans on the rise Bryan Andersen (Apr 20)
- Re: Port 137 scans on the rise horio shoichi (Apr 22)