Security Incidents mailing list archives

Re: High port UDP probe?

From: mark () WHATNOT DEMON CO UK (Mark Rowe)
Date: Wed, 26 Apr 2000 17:27:08 +0100


In message <916B73552292D311B8AE0090277332B70AAE96@INFERNO>, Damian
Gerow <damian () ITACTICS COM> writes

This is most likely an automated scan looking for the trojan "Hack a
Tack". There are a number of web sites that maintain lists of common
Trojan/Backdoors and the TCP/UDP ports they use.

For example, http://www.onctek.com/trojanports.html

Hash: SHA1

This came up in our firewall:

Apr 24 08:48:01 <hostname> kernel: Packet log: unserved DENY eth0
PROTO=UDP 149.225.113.35:31790 xxx.xxx.xxx.xxx:31789 L=29:9 S=0x00
I=64598 T=115

What concerns me is both the destination port and the packet length.
I'm assuming that L=29:9 means 29 for the whole packet size, and 9 is
the UDP packet size.  Take away the UDP header, leaves you 1?  Am I
reading this correctly?


--
Mark Rowe
IT Security Consultant
Xinetica
Email: mark.rowe () xinetica com

Current thread:

Re: BIND 8.2.2.-P3, 0-day exploit, (continued)
- - - Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
    - Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
    - regulary 137 and 524 port scan Cho Yongsang (Apr 27)
    - huge scans from www.oix.com jose (Apr 28)
    - I am popular today... Dirk Koopman (Apr 28)
    - Re: I am popular today... Ryan Sweat (Apr 28)
    - Analysis: AboveNet attacks Robert Graham (Apr 28)
    - Re: I am popular today... Ville (Apr 29)
    - Lots netbios scans (udp 137) Russell Fulton (Apr 30)
    - High port UDP probe? Damian Gerow (Apr 25)
    - Re: High port UDP probe? Mark Rowe (Apr 26)
    - Lots of scan on port 9520 Erick Perez (Apr 25)
    - possible bind worm? Roelof Temmingh (Apr 25)
    - Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
    - Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
    - Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
    - Port 137 scans on the rise Bryan Andersen (Apr 20)
    - Re: Port 137 scans on the rise horio shoichi (Apr 22)
- Re: CGI scans from Strauss.udel.edu -- They're back Network Security (Apr 17)