RE: Strange UDP packets from MS Exchange servers

["Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>]

this don't like its a Trojan coz if it was then sure they need the packets
back so return address need to be a valid one. This could be a miss
configuration on your exchange server.

Best Regards

Ohanes Semerjian

-----Original Message-----
From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com]
Sent: Tuesday, 30 April 2002 9:26
To: Snort List (E-mail)
Subject: [Snort-users] Strange UDP packets from MS Exchange servers


Hello,

I was wondering if anyone has seen this before? No one I've talked to so far
has a clue. Basically we have two MS Exchange servers that send out UDP
packets at random times throughout the day, all to non-existant networks and
random destination ports each time. REALLY strange. Almost appears like
trojan activity but there is current AV on each box and it doesn't detect
anything. Anyone else seen this before? Thanks....


Sample packet traces (actually many more packets were sent, these are just
samples of each destination port that was sent to):

04/26-14:11:43.316412 <Exchange server1>:4289 -> 192.168.1.170:1107
UDP TTL:122 TOS:0x0 ID:22909 IpLen:20 DgmLen:36
Len: 16
p'Q.....

04/26-14:44:09.447869 <Exchange server1>:2814 -> 192.168.1.170:1421
UDP TTL:122 TOS:0x0 ID:3428 IpLen:20 DgmLen:36 
Len: 16
p'U.....

04/26-21:50:34.956200 <Exchange server2>:1303 -> 192.168.1.103:1066
UDP TTL:122 TOS:0x0 ID:51650 IpLen:20 DgmLen:36
Len: 16
.(.....w

04/26-07:18:33.852580 <Exchange server2>:4339 -> 192.168.1.102:1058
UDP TTL:122 TOS:0x0 ID:7775 IpLen:20 DgmLen:36 
Len: 16
X'R.....

04/26-09:04:27.626759 <Exchange server1>:4897 -> 192.168.0.4:1395
UDP TTL:126 TOS:0x0 ID:19048 IpLen:20 DgmLen:36
Len: 16
p'B.....

04/26-09:04:27.627675 <Exchange server1>:4899 -> 192.168.0.4:1413
UDP TTL:126 TOS:0x0 ID:19560 IpLen:20 DgmLen:36
Len: 16
 *......

04/26-09:27:15.556618 <Exchange server1>:2868 -> 192.168.0.4:3656
UDP TTL:126 TOS:0x0 ID:63924 IpLen:20 DgmLen:36
Len: 16
p'B.....

04/26-09:59:20.719032 <Exchange server1>:2154 -> 192.168.0.4:3748
UDP TTL:126 TOS:0x0 ID:59526 IpLen:20 DgmLen:36
Len: 16
p'B.....

04/26-09:59:20.719804 <Exchange server1>:2156 -> 192.168.0.4:3761
UDP TTL:126 TOS:0x0 ID:60038 IpLen:20 DgmLen:36
Len: 16
 *......

04/27-06:45:39.602353 <Exchange server1>:3151 -> 192.168.1.101:1047   
UDP TTL:122 TOS:0x0 ID:11807 IpLen:20 DgmLen:36
Len: 16
x'P.....

04/27-07:08:45.259531 <Exchange server2>:3567 -> 192.168.1.103:1492   
UDP TTL:122 TOS:0x0 ID:60820 IpLen:20 DgmLen:36
Len: 16
.(.....w

04/27-08:00:54.340376 <Exchange server1>:1249 -> 192.168.1.101:1127
UDP TTL:122 TOS:0x0 ID:35814 IpLen:20 DgmLen:36
Len: 16 
x'P.....

04/27-10:00:25.735930 <Exchange server2>:4442 -> 192.168.1.103:1538
UDP TTL:122 TOS:0x0 ID:64097 IpLen:20 DgmLen:36
Len: 16 
.(.....w

04/27-15:15:40.966760 <Exchange server2>:1635 -> 192.168.1.103:1687
UDP TTL:122 TOS:0x0 ID:41850 IpLen:20 DgmLen:36
Len: 16 
.(.....w

04/27-18:33:21.866192 <Exchange server1>:3432 -> 192.168.1.101:1985
UDP TTL:122 TOS:0x0 ID:65039 IpLen:20 DgmLen:36
Len: 16 
`(A..,A.

04/27-21:58:44.742460 <Exchange server2>:3158 -> 192.168.1.103:1722
UDP TTL:122 TOS:0x0 ID:28910 IpLen:20 DgmLen:36
Len: 16 
.(.....w



Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users