Security Incidents mailing list archives
Re: UDP Probes (?) from port 28432 to 28431 ?
From: Xander.Jansen () SURFNET NL (Xander Jansen)
Date: Thu, 9 Mar 2000 14:07:29 +0100
Hi Klaus, In your message of Tue, 7 Mar 2000 17:17:36 +0100 you wrote: + > Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few + > reports the last months about rather persistent and recurring subnet-scans + > targetted at this specific port. All the probes are short UDP packets with + > source port 28432 and destination port 28431. Typical pattern is also that + > within a few seconds a complete subnet (/24 for example) is probed on this + > port (and this port only). (I'm sorry to say that we don't have any info + > on the contents of these packets yet). + > + > I was wondering if anyone knows about either a valid or malicious + > application using these ports (I couldn't find any reference in the usual + > portlists) ? + + The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789) + Perhaps somebody has changed the configs ? The Hack'a'Tack similarity is striking indeed. Yesterday I combined various logs dating back to june 1999 and from different sources (many thanks to Rene Pfeiffer !) and concentrated on the Hack'a'tack ports (31790/31789) and the two 'new' ones. Basically these are the (somewhat biased) results: The over 19000 logentries contained probes from 1887 different sources. Targets in this case were addresses in the 194.171/16 and 195.230/16 ranges. Of the sources the majority originated in the 194.170/16 and 195.229/16 ranges (1815 of them, the other 72 were the usual dialup-suspects). Note the subtle 'off-by-one' difference. Hack'a'tack (the client part) has (at least) two features that might be relevant here: 1) Very fast subnet-scanning 2) The 'Scan above' button Feature 1) explains the fast subnet-sweeps, feature 2) explains I think the 'off-by-one' difference in source and target netblocks. Hack'a'tack asks for a starting address to start the scan with. Now if someone from within 194.170/16 wants to scan for Hack'a'tack-servers he/she fills in for example 194.170.246.n, presses 'Scan above' and before you know (feature 1) the scan continues with addresses in the 194.171/16 range. So I guess this is indeed a new or reconfigured version of Hack'a'tack (I didn't check the latest version yet) or something using the same scan-engine and the probe-victims in this case are just innocent bystanders who happen to have IP-addresses in a neighbour-range of the source. Anyway, many thanks to all who replied ! Cheers, Xander
Current thread:
- Re: @home: Is *anyone* really home there???, (continued)
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)