Educause Security Discussion mailing list archives

FW: Traffic to UDP Port 80

From: "Babb, Robert" <babbr () UNION EDU>
Date: Fri, 26 Oct 2007 12:10:13 -0400

Hi All,

Thanks for your replies.  Our situation turned out to be the same as this one; "a UDP port 80 flood outbound from a 
compromised host some time back. It was an OSX box"  the compromised machined has been removed from the network.

Thank You,

Robert Babb
Union College Network Manager
Information Technology Services





-----Original Message-----
From: Curt Wilson [mailto:curtw () SIU EDU]
Sent: Friday, October 26, 2007 11:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Traffic to UDP Port 80

Babb, Robert wrote:

Hi,

I've seen a couple of instances where a MAC is sending huge amounts of traffic to a computer in the netherlands.  
Source port always UDP 57xxx and the dest. port is always UDP port 80.  Has anybody else ever seen this?  Anybody 
know what could cause it?


We saw a UDP port 80 flood outbound from a compromised host some time back. It was an OSX box that was compromised and 
some flooding tools installed. Not sure why those chose UDP 80.



--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc

Current thread:

Traffic to UDP Port 80 Babb, Robert (Oct 26)
- <Possible follow-ups>
- Re: Traffic to UDP Port 80 John Kristoff (Oct 26)
- Re: Traffic to UDP Port 80 Matthew Gracie (Oct 26)
- Re: Traffic to UDP Port 80 Andres Almanza (Oct 26)
- Re: Traffic to UDP Port 80 RLVaughn (Oct 26)
- Re: Traffic to UDP Port 80 Curt Wilson (Oct 26)
- FW: Traffic to UDP Port 80 Babb, Robert (Oct 26)