Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Stray UDP activity?

From: sheib <sheib () mbox digsys bg>
Date: Fri, 08 Mar 2002 15:31:00 +0200
Howdy list,

I got some strange udp activity on my production machine. I am positive it's
not due some of my doings; no dns servers running, no udp feeding daemons, etc. Snort detects no threat either. This occurs somehow periodicly on every hour. 
It's no udp scan. The very same ports are used all the time.


<snip>
05:56:47.258786 SRC.1028 > DST.38293: [udp sum ok] udp 16 (ttl 10, id 62722, len 44) 
0x0000   4500 002c f502 0000 0a11 267e 816b 5146         E..,......&~.kQF
0x0010   c144 014b 0404 9595 0018 9fce 020a 00c0          .D.K............
0x0020 4c44 5650 4869 434d 0000 0000 LDVPHiCM....
05:56:47.278756 SRC.1028 > DST.38293: [udp sum ok] udp 16 (ttl 10, id 62978, len 44) 
0x0000   4500 002c f602 0000 0a11 257e 816b 5146         E..,......%~.kQF
0x0010   c144 014b 0404 9595 0018 b6ac 020a 00c0        .D.K............
0x0020 4869 434d 4869 434d 0000 0000 HiCMHiCM....
05:56:48.988754 SRC.1028 > DST.38293: [udp sum ok] udp 16 (ttl 10, id 63234, len 44) 
0x0000   4500 002c f702 0000 0a11 247e 816b 5146          E..,......$~.kQF
0x0010   c144 014b 0404 9595 0018 9fce 020a 00c0          .D.K............
0x0020 4c44 5650 4869 434d 0000 0000 LDVPHiCM....
05:56:48.998759 SRC.1028 > DST.38293: [udp sum ok] udp 16 (ttl 10, id 63490, len 44) 
0x0000   4500 002c f802 0000 0a11 237e 816b 5146          E..,......#~.kQF
0x0010   c144 014b 0404 9595 0018 b6ac 020a 00c0         .D.K............
0x0020 4869 434d 4869 434d 0000 0000 HiCMHiCM....
05:56:49.008759 SRC.1028 > DST.38293: [udp sum ok] udp 16 (ttl 10, id 63746, len 44) 
0x0000   4500 002c f902 0000 0a11 227e 816b 5146           E..,......"~.kQF
0x0010   c144 014b 0404 9595 0018 9fce 020a 00c0           .D.K............
0x0020 4c44 5650 4869 434d 0000 0000 LDVPHiCM....
05:56:49.018758 SRC.1028 > DST.38293: [udp sum ok] udp 16 (ttl 10, id 64002, len 44) 
0x0000   4500 002c fa02 0000 0a11 217e 816b 5146            E..,......!~.kQF
0x0010   c144 014b 0404 9595 0018 b6ac 020a 00c0           .D.K............
0x0020 4869 434d 4869 434d 0000 0000 HiCMHiCM.... 

[...]
Mar 8 12:53:59 grind kernel: IN=ppp1 OUT= MAC= SRC=SRC DST=DST LEN=44 TOS=0x00 PREC=0x00 TTL=10 
ID=17674 PROTO=UDP SPT=1028 DPT=38293 LEN=24
Mar 8 13:54:22 grind kernel: IN=ppp1 OUT= MAC= SRC=SRC DST=DST LEN=44 TOS=0x00 PREC=0x00 TTL=10 
ID=18186 PROTO=UDP SPT=1028 DPT=38293 LEN=24

</snip>


0x0020s anyone?

/proc/net/udp claims:
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 

^^^^^^^^^^^^^^^^^^
no udp connections


[Wild] suggestions are welcome.


/s


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: