Security Incidents mailing list archives

Re: UDP Probes (?) from port 28432 to 28431 ?

From: Alexander.Schreiber () INFORMATIK TU-CHEMNITZ DE (Alexander Schreiber)
Date: Tue, 7 Mar 2000 15:12:27 +0100


Hi !

On Sat, 4 Mar 2000, Xander Jansen wrote:

Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few
reports the last months about rather persistent and recurring subnet-scans
targetted at this specific port. All the probes are short UDP packets with
source port 28432 and destination port 28431. Typical pattern is also that
within a few seconds a complete subnet (/24 for example) is probed on this


Yes, a client of mine has two IP which are visible on the outside and they
are regularly receiving these probes (not exactly - the firewall on the border
is logging and dropping those packets). First detected on Jan 4 00:17:35
(MET), 27 attempts today, last Mar 6 19:41:25 (MET). The packets aimed
at the two visible IP's come in within one second.

Sources are Dialups all over the world (including one from the
Arabian Emirates) - as usual.

Regards,
       Alex.

--
------------------------------------------------------------------------------
 EMail : als () thangorodrim de              | WWW : http://www.thangorodrim.de/
 If privacy is outlawed, only outlaws will have | Ceterum censeo Parva Mollia
 privacy. (Philip Zimmerman, author of PGP)     | esse delendam.

Current thread:

Re: @home: Is *anyone* really home there??? Robert G. Ferrell (Feb 29)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
  - auto-reporting to ISPs Robert Graham (Feb 29)
    - Re: auto-reporting to ISPs Jon Lewis (Mar 01)
    - Re: auto-reporting to ISPs Network Operations (Mar 02)
    - Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
    - Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
    - CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
    - UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
    - UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
    - Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
    - Port 65535 Murray, Mike (Mar 02)
    - @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
    - Re: Port 65535 Pavel Kankovsky (Mar 04)
    - Re: Port 65535 Murray, Mike (Mar 04)
    - Re: Port 65535 Richard Bejtlich (Mar 04)
    - Re: Port 65535 Keith Pachulski (Mar 06)
    - Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)

(Thread continues...)