Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

UDP Probes (?) from port 28432 to 28431 ?

From: moeller () CERT DFN DE (Klaus Moeller)
Date: Tue, 7 Mar 2000 17:17:36 +0100

-----BEGIN PGP SIGNED MESSAGE-----

Xander Jansen writes:


Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few
reports the last months about rather persistent and recurring subnet-scans
targetted at this specific port. All the probes are short UDP packets with
source port 28432 and destination port 28431. Typical pattern is also that
within a few seconds a complete subnet (/24 for example) is probed on this
port (and this port only). (I'm sorry to say that we don't have any info
on the contents of these packets yet).

I was wondering if anyone knows about either a valid or malicious
application using these ports (I couldn't find any reference in the usual
portlists) ?


The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789)
Perhaps somebody has changed the configs ?

We haven't seen scans like that so far.

        Klaus Moeller

- --
Klaus Moeller            |                    mailto:moeller () cert dfn de
DFN-CERT GmbH            |
Vogt-Koelln-Str. 30      |                      Phone: +49(40)42883-2262
D-22527 Hamburg          |                        FAX: +49(40)42883-2241
Germany                  |       PGP-Key: finger moeller () ftp cert dfn de

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQEVAwUBOMUrgYrEggYLt8j5AQFB9gf9EYi8XTEcoSwRZotyOrfEdxixglYfwiN6
t44AxYyx4BadCMP0wrAaysJY54ZlTx2E0jCXn6ky9HeNUX1TqjwbyjAsSMHQXBIk
DBkngamSPFBf/zpE5ihcZ/A2DjeEwWZdpveqMLdHvh0rXqmLxxZSCLMMIUUDU1lW
g7wT5UJbFwojliy7oxF3hlm+SBvlUN3+0rtSHssSWjRZ22bhgllQdgLFczIC1Bum
s5BGg1+uxiC5uqL69FPN6lPob/TnhdS1pSX19oIV8itD61vXOdXr6IkCJDzqlRW5
cToKzrDYQts44hbn2D9i7dUJ1oTToFxixaUFHfbPhZ1ksv5L7+qwEA==
=onH9
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: