Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Traffic to UDP Port 80

From: Andres Almanza <araja1014 () YAHOO ES>
Date: Fri, 26 Oct 2007 14:20:21 +0000
the problem with run "ps" or who, is that the machine, could be with a rootkit. take a ps or who from another linux an 
probe.



----- Mensaje original ----
De: Matthew Gracie <graciem () CANISIUS EDU>
Para: SECURITY () LISTSERV EDUCAUSE EDU
Enviado: viernes, 26 de octubre, 2007 9:12:14
Asunto: Re: [SECURITY] Traffic to UDP Port 80

John Kristoff wrote:

On Fri, 26 Oct 2007 08:41:23 -0400
"Babb, Robert" <babbr () UNION EDU> wrote:


I've seen a couple of instances where a MAC is sending huge amounts

 of traf=

fic to a computer in the netherlands.  Source port always UDP 57xxx

 and the=

 dest. port is always UDP port 80.  Has anybody else ever seen this?

  Anybo=

dy know what could cause it?


A Macintosh or a MAC address?  Not that it matters much, but yes this
sort of thing is not uncommon.  Are these hosts typically unix-based,
running SSH?  It's also not uncommon for an account to have been

 brute

forced whereupon a simple Perl-based UDP flooder is run from the

 account.


John


One quick test is to run "who" and "ps" on the machine, and look for a
process named something like "udp.pl". That seems to be a pretty common
flooding utility that the kids are using these days.

--Matt

-- 
Matt Gracie                (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS            425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg    






       
____________________________________________________________________________________
Sé un Mejor Amante del Cine                         
¿Quieres saber cómo? ¡Deja que otras personas te ayuden!
http://advision.webevents.yahoo.com/reto/entretenimiento.html
Previous By Date Next
Previous By Thread Next

Current thread: