Security Incidents mailing list archives

Re: UDP Probes (?) from port 28432 to 28431 ?

From: Xander.Jansen () SURFNET NL (Xander Jansen)
Date: Thu, 9 Mar 2000 14:07:29 +0100


Hi Klaus,

In your message of Tue, 7 Mar 2000 17:17:36 +0100 you wrote:

+  > Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few
+  > reports the last months about rather persistent and recurring subnet-scans
+  > targetted at this specific port. All the probes are short UDP packets with
+  > source port 28432 and destination port 28431. Typical pattern is also that
+  > within a few seconds a complete subnet (/24 for example) is probed on this
+  > port (and this port only). (I'm sorry to say that we don't have any info
+  > on the contents of these packets yet).
+  >
+  > I was wondering if anyone knows about either a valid or malicious
+  > application using these ports (I couldn't find any reference in the usual
+  > portlists) ?
+
+ The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789)
+ Perhaps somebody has changed the configs ?

The Hack'a'Tack similarity is striking indeed. Yesterday I combined various
logs dating back to june 1999 and from different sources (many thanks to
Rene Pfeiffer !) and concentrated on the Hack'a'tack ports (31790/31789)
and the two 'new' ones. Basically these are the (somewhat biased) results:

The over 19000 logentries contained probes from 1887 different sources.
Targets in this case were addresses in the 194.171/16 and 195.230/16
ranges. Of the sources the majority originated in the 194.170/16 and
195.229/16 ranges (1815 of them, the other 72 were the usual
dialup-suspects). Note the subtle 'off-by-one' difference.

Hack'a'tack (the client part) has (at least) two features that might be
relevant here:

1) Very fast subnet-scanning
2) The 'Scan above' button

Feature 1) explains the fast subnet-sweeps, feature 2) explains I think the
'off-by-one' difference in source and target netblocks. Hack'a'tack asks
for a starting address to start the scan with. Now if someone from within
194.170/16 wants to scan for Hack'a'tack-servers he/she fills in for
example 194.170.246.n, presses 'Scan above' and before you know (feature 1)
the scan continues with addresses in the 194.171/16 range.

So I guess this is indeed a new or reconfigured version of Hack'a'tack (I
didn't check the latest version yet) or something using the same
scan-engine and the probe-victims in this case are just innocent bystanders
who happen to have IP-addresses in a neighbour-range of the source.

Anyway, many thanks to all who replied !

Cheers,

Xander

Current thread:

Re: @home: Is *anyone* really home there???, (continued)
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
  - auto-reporting to ISPs Robert Graham (Feb 29)
    - Re: auto-reporting to ISPs Jon Lewis (Mar 01)
    - Re: auto-reporting to ISPs Network Operations (Mar 02)
    - Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
    - Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
    - CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
    - UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
    - UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
    - Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
    - Port 65535 Murray, Mike (Mar 02)
    - @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
    - Re: Port 65535 Pavel Kankovsky (Mar 04)
    - Re: Port 65535 Murray, Mike (Mar 04)
    - Re: Port 65535 Richard Bejtlich (Mar 04)
    - Re: Port 65535 Keith Pachulski (Mar 06)
    - Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
    - Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
  - Re: @home: Is *anyone* really home there??? Wozz (Feb 29)

(Thread continues...)