strange UDP 5400 traffic

["Maarten" <cryppie () softhome net>]

Hi all,

Today my IDS detected some strange traffic on our network. One of the
workstations (W98) of one of our administrators suddenly started a
connection to an internet machine and tried to deliver packages on UDP port
5400 of that machine. Fortunately, UDP connections are not allowed from the
internal to the external network, but still.... While investigating the
workstation, nothing suspicious could be found, but it kept trying to reach
that Internet machine.

The closest trojan I could match to UDP5400 was bladerunnner ( (c) 1999 ),
but the signature of bladerunner was not present on the client. Also neither
a trojan checking program (pestpatrol) nor anti virus software (mcafee)
noticed something sudpicious on the drives.

Anyone here got any ideas, experienced something like this before or knows
how to make some more sense out of the packets captured by snort (example
attached to e-mail)?

kind regards, maarten


==================
Header: 4 5 0 60028 1282 0 0 128 60373

===

length = 4063

000 : 7F 11 3F 16 13 60 8B 7A 99 04 97 9F 48 B8 CB 28 .?..`.z....H..(

010 : 51 69 BF 19 9B BD 0E 0F 30 37 26 BA 5D 11 A7 7D Qi......07&.]..}

020 : E8 73 61 D1 ED 39 10 60 A5 4F D0 E6 CC E7 8E 50 .sa..9.`.O.....P

030 : 5F 9A 47 AF 43 94 6D 6B CA 84 CD 55 89 E1 BD 03 _.G.C.mk...U....

Attachment: udp-1703-to-5400.txt.txt
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com