Re: unusual UDP probes

[rgula () SECURITYWIZARDS COM (Ron Gula)]

At 05:43 AM 1/5/00 -0800, you wrote:
>  For a couple of weeks now, we've had our eyes on a strange little UDP
> probe we've been getting.  It doesn't match any known signatures (based on
> searching the whitehats.com arachNIDS database - which, by the way, is quite
> nice - and other security sites and trojan lists).  The source port is
> always a low port (p <= 1024) and the destination is either 41763 or 55021,
> with 41763 being the more regular one.  It doesn't match the trin00 or TFN
> profiles that have been posted, the volume is rather low (less than 10
> packets a day per source address), and the probes don't seem coordinated
> (though volume has picked up slightly since the new year).  Has anyone else
> seen these in the wild or otherwise?  Any idea as to what might be
> generating it?

Could you post some payload contect of the UDP packets?

Ron Gula
Network Security Wizards