Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Norton AntiVirus Client Installation Server

From: Phil Wood <cpw () lanl gov>
Date: Fri, 25 Jul 2003 13:31:39 -0600
Folks,

If you have ever wanted to know what might be listening on udp port 38293
on your network, or, why you might see "scans" to it, then read on.  

I believe the systems listening on this port are Windows clients of a 
Nortan AntiVirus Client "server".  The reason I am seeing probably more
than my share of scans from various servers around the Internet to port 38293
is that one of our networks is: 192.16.22.0 (which could be a bastardization
of 192.168.22.0 (one of the non-routable type address used for internal
networks).

The udp packets have the following properties:

  IP total length: 44
  IP Protocol: 17
  UDP destination port: 38293
  First 4 bytes of data: 0x020a00c0
  Remaining bytes are one of two hex strings:
    1. 4c445650  4869434d  00000000 0000: "LDVPHiCM..."
    2. 4869434d  4869434d  00000000 0000: "HiCMHiCM..."

What cinched it for me was taking the source IP address of these packets
and seeing if it might be listening to port 80 [for me this trick sometimes
helps to understand an unresolvable IP address].  Lo and Behold:

=========== modified html ====================================================
  [html]
  [head]
  [meta NAME="GENERATOR" Content="Microsoft Developer Studio"]
  
  [meta HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1"]
  [meta NAME="Copyright" Content="Copyright 2001 Symantec Corporation"]
  
  [!-- Norton AntiVirus Client Installation --]
  [!-- Copyright 2001 Symantec Corporation --]
  
  [title]Norton AntiVirus Client Installation </title]
  [/head]
  
      [frameset COLS="100%,*"]
          [frame SRC="OSCheck.htm"]
  
      [/frameset]
  
      [noframes]
          [b]
              This browser does not support FRAMESET. Please use Internet
              Explorer 4.0 or Higher.
              If you need assistance, please contact your system administrator
              or help desk staff.
          [/b]
      [/noframes]
  
  [/html]
==============================================================================

I assume that most if not all of the symantec packets are benign, and the 
inordanant number that I see is just the luck of the draw.

Later,

Phil
-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: