Snort mailing list archives
RE: UDP 1434
From: "Counselman, Chris Contractor/Sverdrup" <chris.counselman () us army mil>
Date: Sat, 25 Jan 2003 11:23:25 -0600
From what I have seen in the past 169.254.X.X is your IP. It is an
non-routable ip given by windows to dhcp clients that cant grab a DHCP address. It is possible for a NIC to have more than on IP, this might be the case here. From that dump it looks like you have a infected computer. Chris -----Original Message----- From: jai [mailto:jai.s () net4india net] Sent: Saturday, January 25, 2003 9:51 AM To: Â snort-users () lists sourceforge net; focus-ids () securityfocus com; vuln-dev () securityfocus com; Paul Marcus Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] UDP 1434 Hi, Internet traffic of INDIA's and ASIA's network has been effected badly.....its amazing....seriously microsoft sucks.. but its fun !! :-) Well i found something new in this ... i think this worm spoofs IP address according ....below is the tcpdump output ..out which the host is ....169.254.198.47. sending repeated packets to different network... but...169.254.198.47..is not our network....after matching th MAC address ..it was orginating ...from our IP i.e 202.71.129.197.. tcpdump output : 20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:2d:b2:12 ip 418: 169.254.198.47.4041
224.173.178.1
8.ms-sql-m: udp 376 [ttl 1]
4500 0194 8e94 0000 0111 26d7 a9fe c62f
e0ad b212 0fc9 059a 0180 2294 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101
20:56:28.016820 0:2:b3:2f:a4:95 1:0:5e:58:ed:71 ip 418:
169.254.198.47.4041
reserved-mult
icast-range-NOT-delegated.example.com.ms-sql-m: udp 376 [ttl 1]
4500 0194 8e95 0000 0111 e5cb a9fe c62f
e658 ed71 0fc9 059a 0180 e189 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
Router the MAC address ..
Internet 202.71.129.197 157 0002.b32f.a495 ARPA
FastEthernet6/0
I am running snort ...but it didn't detect....
Rgds
Jai
----- Original Message -----
From: Paul Marcus <paulmarcus () mindspring com>
To: jai <jai.s () net4india net>
Cc: <Â snort-users () lists sourceforge net>
Sent: Saturday, January 25, 2003 8:20 PM
Subject: Re: [Snort-users] UDP 1434
http://forums.military.com/1/OpenTopic?a=tpc&s=78919038&f=409192893&m=45 5198 2416
http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 On Sat, 2003-01-25 at 06:49, jai wrote:Hi, I am getting very high traffic on UDP 1434 .... wht might be the problem Rgds Jai
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Attachment:
smime.p7s
Description:
Current thread:
- UDP 1434 jai (Jan 25)
- Re: UDP 1434 -=Quequero=- (Jan 25)
- Message not available
- Re: UDP 1434 jai (Jan 25)
- Re: UDP 1434 - worm spoofing or not? Glenn Forbes Fleming Larratt (Jan 25)
- Re: UDP 1434 - worm spoofing or not? Gianluca Marcari (Jan 25)
- Re: UDP 1434 - worm spoofing or not? kris carlier (Jan 27)
- Re: UDP 1434 jai (Jan 25)
- <Possible follow-ups>
- RE: UDP 1434 Steven Rudolph (Jan 25)
- Fw: UDP 1434 jai (Jan 25)
- RE: UDP 1434 Counselman, Chris Contractor/Sverdrup (Jan 27)