Security Incidents mailing list archives
Re: High port UDP probe?
From: mark () WHATNOT DEMON CO UK (Mark Rowe)
Date: Wed, 26 Apr 2000 17:27:08 +0100
In message <916B73552292D311B8AE0090277332B70AAE96@INFERNO>, Damian Gerow <damian () ITACTICS COM> writes This is most likely an automated scan looking for the trojan "Hack a Tack". There are a number of web sites that maintain lists of common Trojan/Backdoors and the TCP/UDP ports they use. For example, http://www.onctek.com/trojanports.html
Hash: SHA1 This came up in our firewall: Apr 24 08:48:01 <hostname> kernel: Packet log: unserved DENY eth0 PROTO=UDP 149.225.113.35:31790 xxx.xxx.xxx.xxx:31789 L=29:9 S=0x00 I=64598 T=115 What concerns me is both the destination port and the packet length. I'm assuming that L=29:9 means 29 for the whole packet size, and 9 is the UDP packet size. Take away the UDP header, leaves you 1? Am I reading this correctly?
-- Mark Rowe IT Security Consultant Xinetica Email: mark.rowe () xinetica com
Current thread:
- Re: BIND 8.2.2.-P3, 0-day exploit, (continued)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)
- Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
- Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
- Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
- Port 137 scans on the rise Bryan Andersen (Apr 20)
- Re: Port 137 scans on the rise horio shoichi (Apr 22)