Security Incidents mailing list archives
UDP Probes (?) from port 28432 to 28431 ?
From: moeller () CERT DFN DE (Klaus Moeller)
Date: Tue, 7 Mar 2000 17:17:36 +0100
-----BEGIN PGP SIGNED MESSAGE----- Xander Jansen writes:
Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few reports the last months about rather persistent and recurring subnet-scans targetted at this specific port. All the probes are short UDP packets with source port 28432 and destination port 28431. Typical pattern is also that within a few seconds a complete subnet (/24 for example) is probed on this port (and this port only). (I'm sorry to say that we don't have any info on the contents of these packets yet). I was wondering if anyone knows about either a valid or malicious application using these ports (I couldn't find any reference in the usual portlists) ?
The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789) Perhaps somebody has changed the configs ? We haven't seen scans like that so far. Klaus Moeller - -- Klaus Moeller | mailto:moeller () cert dfn de DFN-CERT GmbH | Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262 D-22527 Hamburg | FAX: +49(40)42883-2241 Germany | PGP-Key: finger moeller () ftp cert dfn de -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBOMUrgYrEggYLt8j5AQFB9gf9EYi8XTEcoSwRZotyOrfEdxixglYfwiN6 t44AxYyx4BadCMP0wrAaysJY54ZlTx2E0jCXn6ky9HeNUX1TqjwbyjAsSMHQXBIk DBkngamSPFBf/zpE5ihcZ/A2DjeEwWZdpveqMLdHvh0rXqmLxxZSCLMMIUUDU1lW g7wT5UJbFwojliy7oxF3hlm+SBvlUN3+0rtSHssSWjRZ22bhgllQdgLFczIC1Bum s5BGg1+uxiC5uqL69FPN6lPob/TnhdS1pSX19oIV8itD61vXOdXr6IkCJDzqlRW5 cToKzrDYQts44hbn2D9i7dUJ1oTToFxixaUFHfbPhZ1ksv5L7+qwEA== =onH9 -----END PGP SIGNATURE-----
Current thread:
- Complaining to providers (was: @home: Is *anyone* really home there???, (continued)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)