Security Incidents mailing list archives
Re: UDP 28431 Scans
From: Matt Fearnow <matt () SANS ORG>
Date: Mon, 8 Jan 2001 17:27:20 -0500
From what I know this is Hack a tack. http://www.hack-a-tack.com/ and the post by Matt S, says the same http://www.sans.org/y2k/062300-1430.htm post by Matt Scarborough Matt Fearnow SANS GIAC Incident Handler matt () sans org At Monday 1/8/2001 04:30 PM, Crist Clark wrote:
We recently had a scan on UDP port 28431 walk across a number of class-C sized networks. Here is a partial log entry, . . . 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.100:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.101:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.102:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.103:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.104:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.105:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.106:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.107:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.108:28431 29 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.109:28431 29 . . . Note the source port never changes from 28432. About 1024 addresses were covered without the timestamp rolling off of the same second. Then about 22 second later, the scan went across another net displaced from the others by about 23808 addresses. Someone found a nice wide pipe in S. Korea to scan the world through, huh? I have not been able to find any definate information on what tool is creating this or what is being searched for. Months ago on INCIDENTS () SECURITYFOCUS COM it was hypothesized that this is an alternate port for Hack'a'tack (usually associated with ports 31789/udp or 31791/udp), but the evidence does not look conclusive, http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D49967 A look at SANS GIAC, http://www.sans.org/giac.htm shows a lot of activity on these ports starting about a year ago and occasional outbreaks since. However, no one seems to have a clue what it is. Does anyone out there have an idea what tool created this or what is being sought? Anyone have further ideas on the Hack'a'tack theory? Thanks. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P.
Current thread:
- UDP 28431 Scans Crist Clark (Jan 08)
- Re: UDP 28431 Scans Matt Fearnow (Jan 08)