Re: attack

[Terry Bunch <bunchts () ATTENS COM>]

Blocking UDP to port 28800 is recommended by firewall manufacturers. It used
by Windows Keys.

Terry Bunch



----- Original Message -----
From: Tommy Axelsson <toaxe () THALAMUS SE>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, September 06, 2000 11:19 PM
Subject: attack


> Hello
>
> A couple of days ago we had an incident that forced us to reboot our
server
> that also works as a gateway.
> We are running Linux 6.2 and are using ip-masquerading and squid.
> First we had an unusual amount of icmp echo requests. Then there was a lot
> of udp datagrams of which only a few are shown below.
> The first batch of packets all came from dial-up connections. The second
> batch mostly came from adresses in Korea.
>
> Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> cx159639-a.irvn1.occa.home.com:13139 (32 data bytes)
> Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> modem-216.jewel-puffer.dialup.pol.co.uk:13139 (32 data bytes)
> Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> modem-171.imperator-angel.dialup.pol.co.uk:13139 (32 data bytes)
> Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> lph2-2ac.twcny.rr.com:13139 (32 data bytes)
> Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> pec-52-211.tnt1.b2.uunet.de:13139 (32 data bytes)
> Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> modem-51.lemonpeel-angel.dialup.pol.co.uk:13139 (32 data bytes)
> Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> nas-33-196.stockton.navipath.net:13139 (32 data bytes)
> Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> 223-ALIC-X8.libre.retevision.es:13139 (32 data bytes)
> Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> user35-67.jakinternet.co.uk:13139 (32 data bytes)
> Sep  3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> modem-250.blue-streak-damsel.dialup.pol.co.uk:13139 (32 data bytes)
> Sep  3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> sy-as-08-167.free.net.au:13139 (32 data bytes)
> Sep  3 13:09:20 gw iplog[3265]: UDP: dgram to gw:port 13139 from
> stargate238-55.salzburg-online.at:13139 (32 data bytes)
>
> Sep  3 16:50:08 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> ip238.kjnxr3.ras.tele.dk:28800 (4 data bytes)
> Sep  3 16:51:02 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.169.161.39:28800 (4 data bytes)
> Sep  3 16:51:04 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> s210-219-151-19.thrunet.ne.kr:28800 (4 data bytes)
> Sep  3 16:51:06 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> s210-205-134-190.thrunet.ne.kr:28800 (4 data bytes)
> Sep  3 16:51:10 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.110.18.217:28800 (4 data bytes)
> Sep  3 16:51:15 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.38.104.212:28800 (4 data bytes)
> Sep  3 16:51:27 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 210.182.122.45:28800 (4 data bytes)
> Sep  3 16:51:29 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.58.34.139:28800 (4 data bytes)
> Sep  3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 210.207.24.168:28800 (4 data bytes)
> Sep  3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> cr357836-a.flfrd1.on.wave.home.com:28800 (4 data bytes)
> Sep  3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.200.19.78:28800 (4 data bytes)
> Sep  3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> ip66.portland8.or.pub-ip.psi.net:28800 (4 data bytes)
> Sep  3 16:51:38 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.118.14.251:28800 (4 data bytes)
> Sep  3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 210.113.82.165:28800 (4 data bytes)
> Sep  3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
> 211.176.7.151:28800 (4 data bytes)
>
> Anyone who knows what this could be?
>
> Regards
>
> Tommy Axelsson