Security Incidents mailing list archives
Strange UDP traffic
From: epadin () WAGWEB COM (Ed Padin)
Date: Fri, 14 Apr 2000 11:35:58 -0400
Hi, I'm seeing some strange traffic on the inside of my network going to a Linux ipmasqued firewall. Where x.x.x.x is the inside (private address range) of my firewall I see the traffic below. The traffic comes from a 0.0.0.0 address which is disconerting. I'm not sure that any legit UDP traffic except for Bootp/dhcp should be coming from a zero address. I'm not familiar with any UDP exploits on these ports. The inside network has only Windoz 98 boxen and a Cisco router leading to another WAN. Any ideas? Note: all below is UDP Source IP Source Port Dest IP Dest Port --------- ----------- ------- --------- 0.0.0.0 1985 x.x.x.x 3143 0.0.0.0 1986 x.x.x.x 3143 0.0.0.0 1987 x.x.x.x 3143 0.0.0.0 1988 x.x.x.x 3143 0.0.0.0 1486 x.x.x.x 3906 0.0.0.0 1487 x.x.x.x 3906 0.0.0.0 1488 x.x.x.x 1970 0.0.0.0 1489 x.x.x.x 1970 0.0.0.0 1490 x.x.x.x 1970 0.0.0.0 1491 x.x.x.x 1970 And so on....
Current thread:
- sadmind hack? Yip Chan Keong (Apr 12)
- Re: sadmind hack? Ex Machina (Apr 13)
- Re: sadmind hack? Robert Graham (Apr 13)
- Re: sadmind hack? Fyodor (Apr 16)
- Weird Ping requests Erick Brockway (Apr 16)
- Re: Weird Ping requests Richard Bejtlich (Apr 18)
- Re: Weird Ping requests Erick Brockway (Apr 21)
- Re: sadmind hack? Labu Labi (Apr 17)
- Re: sadmind hack? Prateek Jetly (Apr 18)
- Re: sadmind hack? Chad Roberts (Apr 14)
- Strange UDP traffic Ed Padin (Apr 14)
- Port 6502 Tony Lambiris (Apr 16)
- <Possible follow-ups>
- Re: sadmind hack? Oliver Friedrichs (Apr 13)
- Re: sadmind hack? Spoonm Spoonm (Apr 18)