Security Incidents mailing list archives

Re: attack

From: "Keith R. Jarvis" <kjarvis () ISS NET>
Date: Tue, 7 Sep 0100 13:48:04 -0400

UDP 28800 is the beginning port number for the MSN Gaming Zone
(www.zone.com). Microsoft has a knowledgebase article on these
ports: http://support.microsoft.com/support/kb/articles/Q159/0/31.ASP

As for 13139, who knows, but its probably something similar.


Hello

A couple of days ago we had an incident that forced us to reboot our server
that also works as a gateway.
We are running Linux 6.2 and are using ip-masquerading and squid.
First we had an unusual amount of icmp echo requests. Then there was a lot
of udp datagrams of which only a few are shown below.
The first batch of packets all came from dial-up connections. The second
batch mostly came from adresses in Korea.

Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
cx159639-a.irvn1.occa.home.com:13139 (32 data bytes)
Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-216.jewel-puffer.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:17 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-171.imperator-angel.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
lph2-2ac.twcny.rr.com:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
pec-52-211.tnt1.b2.uunet.de:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-51.lemonpeel-angel.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
nas-33-196.stockton.navipath.net:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
223-ALIC-X8.libre.retevision.es:13139 (32 data bytes)
Sep  3 13:09:18 gw iplog[3265]: UDP: dgram to gw:port 13139 from
user35-67.jakinternet.co.uk:13139 (32 data bytes)
Sep  3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
modem-250.blue-streak-damsel.dialup.pol.co.uk:13139 (32 data bytes)
Sep  3 13:09:19 gw iplog[3265]: UDP: dgram to gw:port 13139 from
sy-as-08-167.free.net.au:13139 (32 data bytes)
Sep  3 13:09:20 gw iplog[3265]: UDP: dgram to gw:port 13139 from
stargate238-55.salzburg-online.at:13139 (32 data bytes)

Sep  3 16:50:08 gw iplog[6019]: UDP: dgram to gw:port 28800 from
ip238.kjnxr3.ras.tele.dk:28800 (4 data bytes)
Sep  3 16:51:02 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.169.161.39:28800 (4 data bytes)
Sep  3 16:51:04 gw iplog[6019]: UDP: dgram to gw:port 28800 from
s210-219-151-19.thrunet.ne.kr:28800 (4 data bytes)
Sep  3 16:51:06 gw iplog[6019]: UDP: dgram to gw:port 28800 from
s210-205-134-190.thrunet.ne.kr:28800 (4 data bytes)
Sep  3 16:51:10 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.110.18.217:28800 (4 data bytes)
Sep  3 16:51:15 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.38.104.212:28800 (4 data bytes)
Sep  3 16:51:27 gw iplog[6019]: UDP: dgram to gw:port 28800 from
210.182.122.45:28800 (4 data bytes)
Sep  3 16:51:29 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.58.34.139:28800 (4 data bytes)
Sep  3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
210.207.24.168:28800 (4 data bytes)
Sep  3 16:51:30 gw iplog[6019]: UDP: dgram to gw:port 28800 from
cr357836-a.flfrd1.on.wave.home.com:28800 (4 data bytes)
Sep  3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.200.19.78:28800 (4 data bytes)
Sep  3 16:51:34 gw iplog[6019]: UDP: dgram to gw:port 28800 from
ip66.portland8.or.pub-ip.psi.net:28800 (4 data bytes)
Sep  3 16:51:38 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.118.14.251:28800 (4 data bytes)
Sep  3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
210.113.82.165:28800 (4 data bytes)
Sep  3 16:51:39 gw iplog[6019]: UDP: dgram to gw:port 28800 from
211.176.7.151:28800 (4 data bytes)

Anyone who knows what this could be?

Regards

Tommy Axelsson



--
Keith R. Jarvis (kjarvis () iss net)             http://xforce.iss.net
Internet Security Systems, Inc.               +1-678-443-6149 (direct)
The Power to Protect                          +1-678-443-6479 (fax)

Current thread:

attack Tommy Axelsson (Sep 07)
- Re: attack Randy Mclean (Sep 07)
- Re: attack Keith R. Jarvis (Sep 07)
- Re: attack Terry Bunch (Sep 07)