Security Incidents mailing list archives
Re: unusual UDP probes
From: T_Esting () EXCITE COM (T.Esting)
Date: Wed, 5 Jan 2000 12:24:17 -0800
Ron - I have timestamps in the logs, but I do not get log bodies by default (performance prohibitive for a high-speed link that gets as many blocked packets as we do). What I do know, assuming I'm interpreting the logs correctly, is that packet bodies (including the 20-byte UDP header) have in length between 63,87,122,232, and 237 bytes. Erick. On Wed, 05 Jan 2000 12:19:27 -0800, Ron Gula wrote:
At 05:43 AM 1/5/00 -0800, you wrote: > For a couple of weeks now, we've had our eyes on a strange little UDP >probe we've been getting. It doesn't match any known signatures (based
on
>searching the whitehats.com arachNIDS database - which, by the way, is
quite
>nice - and other security sites and trojan lists). The source port is >always a low port (p <= 1024) and the destination is either 41763 or
55021,
>with 41763 being the more regular one. It doesn't match the trin00 or
TFN
>profiles that have been posted, the volume is rather low (less than 10 >packets a day per source address), and the probes don't seem coordinated >(though volume has picked up slightly since the new year). Has anyone
else
>seen these in the wild or otherwise? Any idea as to what might be >generating it? Could you post some payload contect of the UDP packets? Ron Gula Network Security Wizards
_______________________________________________________ Visit Excite Shopping at http://shopping.excite.com The fastest way to find your Holiday gift this season
Current thread:
- unusual UDP probes T.Esting (Jan 05)
- Re: unusual UDP probes Ron Gula (Jan 05)
- Command confirmation request cancelled L-Soft list server at LISTS.SECURITYFOCUS.COM (1.8d) (Jan 06)
- <Possible follow-ups>
- Re: unusual UDP probes T.Esting (Jan 05)