Security Incidents mailing list archives

Re: Unusual UDP access attempts.

From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Mon, 22 May 2000 12:09:50 -0000


Hello,

I'm not sure what uses those ports, although the similarity 
between source
and destination makes me consider a Trojan or master-slave 
relationship.

SANS GIAC has entries on this activity dating to 25 Dec 99, 
with many interesting
detects on 28 Dec 99 and later:

http://www.sans.org/y2k/122599.htm
http://www.sans.org/y2k/122899-9.htm
http://www.sans.org/y2k/122899-1130.htm
http://www.sans.org/y2k/122899-1230.htm
http://www.sans.org/y2k/122899-1700.htm

Richard

---

I've been seeing an
unusual number of blocked UDP packets at my firewall 
recently, the
source port always being 28432 and the dest. port always 
being 28431.
...
Aussie

Current thread:

Unusual UDP access attempts. Aussie (May 20)
- Re: Unusual UDP access attempts. Richard Bejtlich (May 22)