Security Incidents mailing list archives

Re: Wake-up call

From: Jason Lewis <jlewis () jasonlewis net>
Date: Sat, 30 Dec 2000 15:45:21 -0500

While it is possible that someone is scanning for those ports....  It is
more likely he had just disconnected from the MSN gaming zone and the other
players hadn't gotten the info yet.  This happens a lot with online gaming.

jas

http://www.rivalpath.com


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Joe Klein
Sent: Friday, December 29, 2000 12:29 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Wake-up call


12/27/2000 11:56:19.192 -       UDP packet dropped - Source:209.91.163.236,
1030, WAN - Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 11:57:19.288 -       UDP packet dropped - Source:209.91.163.236,
1030, WAN - Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 11:58:22.368 -       UDP packet dropped - Source:63.17.37.124,
28800,
WAN -  Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 11:59:27.800 -       UDP packet dropped - Source:24.65.240.83,
28800,
WAN -  Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:00:37.848 -       UDP packet dropped - Source:24.65.240.83,
28800,
WAN -  Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:01:54.160 -       UDP packet dropped - Source:24.24.147.33,
28800,
WAN -  Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:03:14.592 -       UDP packet dropped - Source:24.24.147.33,
28800,
WAN -  Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:04:37.800 -       UDP packet dropped - Source:24.9.220.84,
28800,
WAN -  Destination:my.firewall.ip.num, 28800, LAN -     -

Using a list of well know ports
(http://www.isi.edu/in-notes/iana/assignments/port-numbers) or
(http://support.kcfishnet.com/scripts/fishnet/portnumbers/portnumbers2.asp),
I
notice:
 Port 1030/udp   BBN IAD - Registered to: Andy Malis <malis_a () timeplex com>
 Port 28800/udp is on the unassigned list

To find the 28800/udp port, I scanned list of Trojan horses and found
nothing
(http://www.doshelp.com/trojanports.htm,
http://home.tiscalinet.be/bchicken/trojans/trojanpo.htm,
http://www.simovits.com/nyheter9902.html)

I did a search on port 28800 udp using www.dogpile.com and found this allot
of
traffic about this port. One specifically
(http://www.chebucto.ns.ca/~rakerman/port-table.html) provided the
information
that 28800 Microsoft Gaming is used by and 1024-65535 is used by Microsoft
Net
meeting (http://support.microsoft.com/support/kb/articles/Q158/6/23.asp).

As far as the IP address, well it looks list they are dial up and high speed
lines from major vendors (http://www.arin.net/cgi-bin/whois.pl?queryinput=)

209.91.163.236 ViaNet Internet Solutions (NETBLK-VIANET-CA2) Sudbury, ON
P3E
5J8 CA - 209.91.128.0 - 209.91.175.255
63.17.37.124   UUNET Technologies, Inc. (NETBLK-NETBLK-UUNET97DU) Fairfax,
va
22031 US 63.0.0.0 - 63.61.255.255
S24.65.240.83  Shaw Fiberlink ltd. (NETBLK-FIBERLINK-CABLE) Calgary AB, 4L4
CA -
24.64.0.0 - 24.71.255.255
24.24.147.33   ServiceCo LLC - Road Runner (NET-ROAD-RUNNER-1)Herndon, VA
20171
US - 24.24.0.0 - 24.31.255.255
24.9.220.84    @Home Network (NETBLK-CORP-RDC-SC-1) CORP-RDC-SC-1 24.0.0.0 -
24.0.0.255

It summery, it looks like some one is scanning your system for misconfigured
Microsoft NetMeeting Clients or Microsoft Gaming clients.  Although I have
seen
no vulnerabilities of this type, in the lists, it doesn't mean that there
are
not any :-)

Joe Klein
E-Commarce/Security Consultant

"Los, Ralph" wrote:

Hey everyone,
        Thought you might be interested in this one, pardon if it's

already

been seen.

12/27/2000 11:56:19.192 -       UDP packet dropped -
Source:209.91.163.236, 1030, WAN -      Destination:my.firewall.ip.num,
28800, LAN -     -
12/27/2000 11:57:19.288 -       UDP packet dropped -
Source:209.91.163.236, 1030, WAN -      Destination:my.firewall.ip.num,
28800, LAN -     -
12/27/2000 11:58:22.368 -       UDP packet dropped -

Source:63.17.37.124,

28800, WAN -    Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 11:59:27.800 -       UDP packet dropped -

Source:24.65.240.83,

28800, WAN -    Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:00:37.848 -       UDP packet dropped -

Source:24.65.240.83,

28800, WAN -    Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:01:54.160 -       UDP packet dropped -

Source:24.24.147.33,

28800, WAN -    Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:03:14.592 -       UDP packet dropped -

Source:24.24.147.33,

28800, WAN -    Destination:my.firewall.ip.num, 28800, LAN -     -
12/27/2000 12:04:37.800 -       UDP packet dropped -

Source:24.9.220.84,

28800, WAN -    Destination:my.firewall.ip.num, 28800, LAN -     -

1. Can someone help me analyze this?  (No packet dumps unfortunately, just
this)
2. Is there a site that exists that can better help me find port-scan
associations?  SANS institute's web site seems a little lacking in the
department!

Regards,

Ralph M. Los
Sr. Internet Systems & Security Admin.    (312) 827-3945 (direct)
EnvestNet Advisory Corp.                          (312) 296-9003

(wireless)


rlos () envestnet com

Current thread:

Wake-up call Los, Ralph (Dec 29)
- Re: Wake-up call Joe Klein (Dec 30)
  - Re: Wake-up call Jason Lewis (Dec 30)
- <Possible follow-ups>
- Re: Wake-up call Robert G. Ferrell (Dec 30)