Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP 28431 Scans

From: Matt Fearnow <matt () SANS ORG>
Date: Mon, 8 Jan 2001 17:27:20 -0500
From what I know this is Hack a tack.

http://www.hack-a-tack.com/

and the post by Matt S, says the same
http://www.sans.org/y2k/062300-1430.htm post by Matt Scarborough

Matt Fearnow
SANS GIAC Incident Handler
matt () sans org


At Monday 1/8/2001 04:30 PM, Crist Clark wrote:

We recently had a scan on UDP port 28431 walk across a number of class-C
sized networks. Here is a partial log entry,

 .
 .
 .
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.100:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.101:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.102:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.103:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.104:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.105:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.106:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.107:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.108:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 ->
aaa.bbb.ccc.109:28431 29
 .
 .
 .

Note the source port never changes from 28432. About 1024 addresses were
covered without the timestamp rolling off of the same second. Then about
22 second later, the scan went across another net displaced from the others
by about 23808 addresses. Someone found a nice wide pipe in S. Korea to
scan the world through, huh?

I have not been able to find any definate information on what tool is
creating this or what is being searched for. Months ago on
INCIDENTS () SECURITYFOCUS COM it was hypothesized that this is an alternate
port for Hack'a'tack (usually associated with ports 31789/udp or 31791/udp),
but the evidence does not look conclusive,


http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D49967

A look at SANS GIAC, http://www.sans.org/giac.htm shows a lot of activity on
these ports starting about a year ago and occasional outbreaks since.
However,
no one seems to have a clue what it is. Does anyone out there have an idea
what tool created this or what is being sought? Anyone have further ideas on
the Hack'a'tack theory? Thanks.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
Previous By Date Next
Previous By Thread Next

Current thread: