Snort mailing list archives
RE: Strange UDP packets from MS Exchange servers
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Tue, 30 Apr 2002 07:58:50 +0800
this don't like its a Trojan coz if it was then sure they need the packets back so return address need to be a valid one. This could be a miss configuration on your exchange server. Best Regards Ohanes Semerjian -----Original Message----- From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com] Sent: Tuesday, 30 April 2002 9:26 To: Snort List (E-mail) Subject: [Snort-users] Strange UDP packets from MS Exchange servers Hello, I was wondering if anyone has seen this before? No one I've talked to so far has a clue. Basically we have two MS Exchange servers that send out UDP packets at random times throughout the day, all to non-existant networks and random destination ports each time. REALLY strange. Almost appears like trojan activity but there is current AV on each box and it doesn't detect anything. Anyone else seen this before? Thanks.... Sample packet traces (actually many more packets were sent, these are just samples of each destination port that was sent to): 04/26-14:11:43.316412 <Exchange server1>:4289 -> 192.168.1.170:1107 UDP TTL:122 TOS:0x0 ID:22909 IpLen:20 DgmLen:36 Len: 16 p'Q..... 04/26-14:44:09.447869 <Exchange server1>:2814 -> 192.168.1.170:1421 UDP TTL:122 TOS:0x0 ID:3428 IpLen:20 DgmLen:36 Len: 16 p'U..... 04/26-21:50:34.956200 <Exchange server2>:1303 -> 192.168.1.103:1066 UDP TTL:122 TOS:0x0 ID:51650 IpLen:20 DgmLen:36 Len: 16 .(.....w 04/26-07:18:33.852580 <Exchange server2>:4339 -> 192.168.1.102:1058 UDP TTL:122 TOS:0x0 ID:7775 IpLen:20 DgmLen:36 Len: 16 X'R..... 04/26-09:04:27.626759 <Exchange server1>:4897 -> 192.168.0.4:1395 UDP TTL:126 TOS:0x0 ID:19048 IpLen:20 DgmLen:36 Len: 16 p'B..... 04/26-09:04:27.627675 <Exchange server1>:4899 -> 192.168.0.4:1413 UDP TTL:126 TOS:0x0 ID:19560 IpLen:20 DgmLen:36 Len: 16 *...... 04/26-09:27:15.556618 <Exchange server1>:2868 -> 192.168.0.4:3656 UDP TTL:126 TOS:0x0 ID:63924 IpLen:20 DgmLen:36 Len: 16 p'B..... 04/26-09:59:20.719032 <Exchange server1>:2154 -> 192.168.0.4:3748 UDP TTL:126 TOS:0x0 ID:59526 IpLen:20 DgmLen:36 Len: 16 p'B..... 04/26-09:59:20.719804 <Exchange server1>:2156 -> 192.168.0.4:3761 UDP TTL:126 TOS:0x0 ID:60038 IpLen:20 DgmLen:36 Len: 16 *...... 04/27-06:45:39.602353 <Exchange server1>:3151 -> 192.168.1.101:1047 UDP TTL:122 TOS:0x0 ID:11807 IpLen:20 DgmLen:36 Len: 16 x'P..... 04/27-07:08:45.259531 <Exchange server2>:3567 -> 192.168.1.103:1492 UDP TTL:122 TOS:0x0 ID:60820 IpLen:20 DgmLen:36 Len: 16 .(.....w 04/27-08:00:54.340376 <Exchange server1>:1249 -> 192.168.1.101:1127 UDP TTL:122 TOS:0x0 ID:35814 IpLen:20 DgmLen:36 Len: 16 x'P..... 04/27-10:00:25.735930 <Exchange server2>:4442 -> 192.168.1.103:1538 UDP TTL:122 TOS:0x0 ID:64097 IpLen:20 DgmLen:36 Len: 16 .(.....w 04/27-15:15:40.966760 <Exchange server2>:1635 -> 192.168.1.103:1687 UDP TTL:122 TOS:0x0 ID:41850 IpLen:20 DgmLen:36 Len: 16 .(.....w 04/27-18:33:21.866192 <Exchange server1>:3432 -> 192.168.1.101:1985 UDP TTL:122 TOS:0x0 ID:65039 IpLen:20 DgmLen:36 Len: 16 `(A..,A. 04/27-21:58:44.742460 <Exchange server2>:3158 -> 192.168.1.103:1722 UDP TTL:122 TOS:0x0 ID:28910 IpLen:20 DgmLen:36 Len: 16 .(.....w Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Strange UDP packets from MS Exchange servers Sheahan, Paul (PCLN-NW) (Apr 29)
- <Possible follow-ups>
- RE: Strange UDP packets from MS Exchange servers Semerjian, Ohanes (Apr 29)