Security Incidents mailing list archives
RE: Strange UDP Activity
From: Rajiv Dighe <rdighe () SANDVINE com>
Date: Tue, 16 Apr 2002 13:09:30 -0400
Port 1067 is also used by Installation Bootstrap Protocol Server. Apparently on default win2k server install this port is utilized. details are available at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289241 This could be an attempt to map out hosts running win2k servers in default install. This is apparently also used by HP boxes. i.e. you can setup one box to act as software installation server. So looks like this is not limited to windows world. Rajiv Dighe Senior Software Engineer Sandvine Inc. -----Original Message----- From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) [mailto:mlavelle () hp com] Sent: Tuesday, April 16, 2002 11:36 AM To: incidents () securityfocus com Subject: Strange UDP Activity Greetings to the List, I recently started seeing strange UDP traffic to my home DSL, which is included below. It has been active for the last 4 days at all hours. None of these IPs are DNS servers that I use, and much of the activity is when all of my computers are off. Google led me to port 1067 as being an SNMP port, but I have SNMP disabled on all devices at home, and the ACL blocks it anyway. Is there a new vulnerability going around that I missed? So far I have not read anything on the list that looks like this...any ideas? Thanks for listening, Mike ___________________________ Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53) -> X.X.55.121(1067), 4 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53) -> X.X.55.121(1067), 3 packets Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53) -> X.X.55.121(1067), 5 packets Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) -> X.X.55.121(1067), 1 packet Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) -> X.X.55.121(1067), 7 packets Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) -> X.X.55.121(1067), 7 packets Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53) -> X.X.55.121(1067), 7 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) -> X.X.55.121(1067), 4 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53) -> X.X.55.121(1067), 6 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) -> X.X.55.121(1067), 3 packets Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53) -> X.X.55.121(1067), 3 packets ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange UDP Activity LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 16)
- Re: Strange UDP Activity Ryan Russell (Apr 16)
- <Possible follow-ups>
- RE: Strange UDP Activity Joe Kattner (Apr 16)
- RE: Strange UDP Activity Rajiv Dighe (Apr 16)
- Re: Strange UDP Activity Valdis . Kletnieks (Apr 16)
- RE: Strange UDP Activity LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 16)
- RE: Strange UDP Activity Jose Nazario (Apr 16)
- Re: Strange UDP Activity Eric Brandwine (Apr 16)
- Re: Strange UDP Activity Jose Nazario (Apr 16)
- Re: Strange UDP Activity Eric Brandwine (Apr 16)
- Re: Strange UDP Activity Stephen Friedl (Apr 16)