Security Incidents mailing list archives
Re: unusual UDP probes
From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Wed, 5 Jan 2000 12:19:27 -0800
At 05:43 AM 1/5/00 -0800, you wrote:
For a couple of weeks now, we've had our eyes on a strange little UDP probe we've been getting. It doesn't match any known signatures (based on searching the whitehats.com arachNIDS database - which, by the way, is quite nice - and other security sites and trojan lists). The source port is always a low port (p <= 1024) and the destination is either 41763 or 55021, with 41763 being the more regular one. It doesn't match the trin00 or TFN profiles that have been posted, the volume is rather low (less than 10 packets a day per source address), and the probes don't seem coordinated (though volume has picked up slightly since the new year). Has anyone else seen these in the wild or otherwise? Any idea as to what might be generating it?
Could you post some payload contect of the UDP packets? Ron Gula Network Security Wizards
Current thread:
- unusual UDP probes T.Esting (Jan 05)
- Re: unusual UDP probes Ron Gula (Jan 05)
- Command confirmation request cancelled L-Soft list server at LISTS.SECURITYFOCUS.COM (1.8d) (Jan 06)
- <Possible follow-ups>
- Re: unusual UDP probes T.Esting (Jan 05)