Security Incidents mailing list archives

Re: Unknown Broadcast Traffic

From: Daniel Martin <dtmartin24 () HOME COM>
Date: Mon, 29 Jan 2001 11:31:01 -0500

claymore <claymore () ADELPHIA NET> writes:

I am trying to figure out what is causing the traffic shown below. I cannot
find anything that would create it and have been receiving continued
reports. Has anyone seen this?

Claymore
the unprofound

FWIN  2001/01/22  18:14:46 -5:00 GMT  24.50.40.65:1027  24.255.255.255:39213
UDP
FWIN  2001/01/22  18:14:46 -5:00 GMT  24.50.40.65:1028  24.255.255.255:39213
UDP


<more of same snipped>

UDP port 39213 is used by the Sygate Home Network Manager - a web
search (via google) will pop up other reports of this.  (sometimes,
the source UDP address is in the private 192.168.* address space)  In
all likelihood, this means that some poor adelphia.net user has bought
a Sygate Home Network firewall product and failed to configure it
correctly before connecting it to their cable modem.

As the only bugtraq article I can find about Sygate seems to indicate
a hole via TCP port 7323 connections, it is unlikely that this was
looking to exploit anything.

Current thread:

Re: Template Admin Notification, (continued)
- - Re: Template Admin Notification Jim Littlefield (Jan 24)
  - Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
  - Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 25)
  - Re: Template Admin Notification Russell Fulton (Jan 25)
    - Unknown Broadcast Traffic claymore (Jan 29)
    - Re: Unknown Broadcast Traffic Daniel Martin (Jan 29)
- Re: Template Admin Notification Forrester, Mike (Jan 29)