Educause Security Discussion mailing list archives
Re: Traffic to UDP Port 80
From: Andres Almanza <araja1014 () YAHOO ES>
Date: Fri, 26 Oct 2007 14:20:21 +0000
the problem with run "ps" or who, is that the machine, could be with a rootkit. take a ps or who from another linux an probe. ----- Mensaje original ---- De: Matthew Gracie <graciem () CANISIUS EDU> Para: SECURITY () LISTSERV EDUCAUSE EDU Enviado: viernes, 26 de octubre, 2007 9:12:14 Asunto: Re: [SECURITY] Traffic to UDP Port 80 John Kristoff wrote:
On Fri, 26 Oct 2007 08:41:23 -0400 "Babb, Robert" <babbr () UNION EDU> wrote:I've seen a couple of instances where a MAC is sending huge amounts
of traf=
fic to a computer in the netherlands. Source port always UDP 57xxx
and the=
dest. port is always UDP port 80. Has anybody else ever seen this?
Anybo=
dy know what could cause it?A Macintosh or a MAC address? Not that it matters much, but yes this sort of thing is not uncommon. Are these hosts typically unix-based, running SSH? It's also not uncommon for an account to have been
brute
forced whereupon a simple Perl-based UDP flooder is run from the
account.
John
One quick test is to run "who" and "ps" on the machine, and look for a process named something like "udp.pl". That seems to be a pretty common flooding utility that the kids are using these days. --Matt -- Matt Gracie (716) 888-2403 Information Security Administrator graciem () canisius edu Canisius College ITS 425531N / 0785109W http://www2.canisius.edu/~graciem/graciem_public_key.gpg ____________________________________________________________________________________ Sé un Mejor Amante del Cine ¿Quieres saber cómo? ¡Deja que otras personas te ayuden! http://advision.webevents.yahoo.com/reto/entretenimiento.html
Current thread:
- Traffic to UDP Port 80 Babb, Robert (Oct 26)
- <Possible follow-ups>
- Re: Traffic to UDP Port 80 John Kristoff (Oct 26)
- Re: Traffic to UDP Port 80 Matthew Gracie (Oct 26)
- Re: Traffic to UDP Port 80 Andres Almanza (Oct 26)
- Re: Traffic to UDP Port 80 RLVaughn (Oct 26)
- Re: Traffic to UDP Port 80 Curt Wilson (Oct 26)
- FW: Traffic to UDP Port 80 Babb, Robert (Oct 26)