Snort mailing list archives
RE: UDP 1434
From: "Steven Rudolph" <srudolph () iocenter net>
Date: Sat, 25 Jan 2003 11:58:39 -0500
Major worm.. http://isc.incidents.org/analysis.html?id=180 -----Original Message----- From: jai [mailto:jai.s () net4india net] Sent: Sat 1/25/2003 10:50 AM To: Â snort-users () lists sourceforge net; focus-ids () securityfocus com; vuln-dev () securityfocus com; Paul Marcus Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] UDP 1434 Hi, Internet traffic of INDIA's and ASIA's network has been effected badly.....its amazing....seriously microsoft sucks.. but its fun !! :-) Well i found something new in this ... i think this worm spoofs IP address according ....below is the tcpdump output ..out which the host is ....169.254.198.47. sending repeated packets to different network... but...169.254.198.47..is not our network....after matching th MAC address ..it was orginating ...from our IP i.e 202.71.129.197.. tcpdump output : 20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418: 169.254.198.47.4041 > 224.173.178.1 8.ms-sql-m: udp 376 [ttl 1] 4500 0194 8e94 0000 0111 26d7 a9fe c62f e0ad b212 0fc9 059a 0180 2294 0401 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71 ip 418: 169.254.198.47.4041 > reserved-mult icast-range-NOT-delegated.example.com.ms-sql-m: udp 376 [ttl 1] 4500 0194 8e95 0000 0111 e5cb a9fe c62f e658 ed71 0fc9 059a 0180 e189 0401 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 0101 Router the MAC address .. Internet 202.71.129.197 157 0002.b32f.a495 ARPA FastEthernet6/0 I am running snort ...but it didn't detect.... Rgds Jai ----- Original Message ----- From: Paul Marcus <paulmarcus () mindspring com> To: jai <jai.s () net4india net> Cc: <Â snort-users () lists sourceforge net> Sent: Saturday, January 25, 2003 8:20 PM Subject: Re: [Snort-users] UDP 1434 > http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=455198 2416 > > http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 > > > On Sat, 2003-01-25 at 06:49, jai wrote: > > Hi, > > > > > > I am getting very high traffic on UDP 1434 .... > > > > wht might be the problem > > > > Rgds > > Jai > > > ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP 1434 jai (Jan 25)
- Re: UDP 1434 -=Quequero=- (Jan 25)
- Message not available
- Re: UDP 1434 jai (Jan 25)
- Re: UDP 1434 - worm spoofing or not? Glenn Forbes Fleming Larratt (Jan 25)
- Re: UDP 1434 - worm spoofing or not? Gianluca Marcari (Jan 25)
- Re: UDP 1434 - worm spoofing or not? kris carlier (Jan 27)
- Re: UDP 1434 jai (Jan 25)
- <Possible follow-ups>
- RE: UDP 1434 Steven Rudolph (Jan 25)
- Fw: UDP 1434 jai (Jan 25)
- RE: UDP 1434 Counselman, Chris Contractor/Sverdrup (Jan 27)