Security Incidents mailing list archives
Re: Wake-up call
From: Jason Lewis <jlewis () jasonlewis net>
Date: Sat, 30 Dec 2000 15:45:21 -0500
While it is possible that someone is scanning for those ports.... It is more likely he had just disconnected from the MSN gaming zone and the other players hadn't gotten the info yet. This happens a lot with online gaming. jas http://www.rivalpath.com -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Joe Klein Sent: Friday, December 29, 2000 12:29 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Wake-up call 12/27/2000 11:56:19.192 - UDP packet dropped - Source:209.91.163.236, 1030, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 11:57:19.288 - UDP packet dropped - Source:209.91.163.236, 1030, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 11:58:22.368 - UDP packet dropped - Source:63.17.37.124, 28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 11:59:27.800 - UDP packet dropped - Source:24.65.240.83, 28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:00:37.848 - UDP packet dropped - Source:24.65.240.83, 28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:01:54.160 - UDP packet dropped - Source:24.24.147.33, 28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:03:14.592 - UDP packet dropped - Source:24.24.147.33, 28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:04:37.800 - UDP packet dropped - Source:24.9.220.84, 28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - Using a list of well know ports (http://www.isi.edu/in-notes/iana/assignments/port-numbers) or (http://support.kcfishnet.com/scripts/fishnet/portnumbers/portnumbers2.asp), I notice: Port 1030/udp BBN IAD - Registered to: Andy Malis <malis_a () timeplex com> Port 28800/udp is on the unassigned list To find the 28800/udp port, I scanned list of Trojan horses and found nothing (http://www.doshelp.com/trojanports.htm, http://home.tiscalinet.be/bchicken/trojans/trojanpo.htm, http://www.simovits.com/nyheter9902.html) I did a search on port 28800 udp using www.dogpile.com and found this allot of traffic about this port. One specifically (http://www.chebucto.ns.ca/~rakerman/port-table.html) provided the information that 28800 Microsoft Gaming is used by and 1024-65535 is used by Microsoft Net meeting (http://support.microsoft.com/support/kb/articles/Q158/6/23.asp). As far as the IP address, well it looks list they are dial up and high speed lines from major vendors (http://www.arin.net/cgi-bin/whois.pl?queryinput=) 209.91.163.236 ViaNet Internet Solutions (NETBLK-VIANET-CA2) Sudbury, ON P3E 5J8 CA - 209.91.128.0 - 209.91.175.255 63.17.37.124 UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU) Fairfax, va 22031 US 63.0.0.0 - 63.61.255.255 S24.65.240.83 Shaw Fiberlink ltd. (NETBLK-FIBERLINK-CABLE) Calgary AB, 4L4 CA - 24.64.0.0 - 24.71.255.255 24.24.147.33 ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-1)Herndon, VA 20171 US - 24.24.0.0 - 24.31.255.255 24.9.220.84 @Home Network (NETBLK-CORP-RDC-SC-1) CORP-RDC-SC-1 24.0.0.0 - 24.0.0.255 It summery, it looks like some one is scanning your system for misconfigured Microsoft NetMeeting Clients or Microsoft Gaming clients. Although I have seen no vulnerabilities of this type, in the lists, it doesn't mean that there are not any :-) Joe Klein E-Commarce/Security Consultant "Los, Ralph" wrote:
Hey everyone, Thought you might be interested in this one, pardon if it's
already
been seen. 12/27/2000 11:56:19.192 - UDP packet dropped - Source:209.91.163.236, 1030, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 11:57:19.288 - UDP packet dropped - Source:209.91.163.236, 1030, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 11:58:22.368 - UDP packet dropped -
Source:63.17.37.124,
28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 11:59:27.800 - UDP packet dropped -
Source:24.65.240.83,
28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:00:37.848 - UDP packet dropped -
Source:24.65.240.83,
28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:01:54.160 - UDP packet dropped -
Source:24.24.147.33,
28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:03:14.592 - UDP packet dropped -
Source:24.24.147.33,
28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 12/27/2000 12:04:37.800 - UDP packet dropped -
Source:24.9.220.84,
28800, WAN - Destination:my.firewall.ip.num, 28800, LAN - - 1. Can someone help me analyze this? (No packet dumps unfortunately, just this) 2. Is there a site that exists that can better help me find port-scan associations? SANS institute's web site seems a little lacking in the department! Regards, Ralph M. Los Sr. Internet Systems & Security Admin. (312) 827-3945 (direct) EnvestNet Advisory Corp. (312) 296-9003
(wireless)
rlos () envestnet com
Current thread:
- Wake-up call Los, Ralph (Dec 29)
- Re: Wake-up call Joe Klein (Dec 30)
- Re: Wake-up call Jason Lewis (Dec 30)
- <Possible follow-ups>
- Re: Wake-up call Robert G. Ferrell (Dec 30)
- Re: Wake-up call Joe Klein (Dec 30)