Security Incidents mailing list archives
strange UDP 5400 traffic
From: "Maarten" <cryppie () softhome net>
Date: Fri, 29 Mar 2002 19:15:41 +0100
Hi all, Today my IDS detected some strange traffic on our network. One of the workstations (W98) of one of our administrators suddenly started a connection to an internet machine and tried to deliver packages on UDP port 5400 of that machine. Fortunately, UDP connections are not allowed from the internal to the external network, but still.... While investigating the workstation, nothing suspicious could be found, but it kept trying to reach that Internet machine. The closest trojan I could match to UDP5400 was bladerunnner ( (c) 1999 ), but the signature of bladerunner was not present on the client. Also neither a trojan checking program (pestpatrol) nor anti virus software (mcafee) noticed something sudpicious on the drives. Anyone here got any ideas, experienced something like this before or knows how to make some more sense out of the packets captured by snort (example attached to e-mail)? kind regards, maarten ================== Header: 4 5 0 60028 1282 0 0 128 60373 === length = 4063 000 : 7F 11 3F 16 13 60 8B 7A 99 04 97 9F 48 B8 CB 28 .?..`.z....H..( 010 : 51 69 BF 19 9B BD 0E 0F 30 37 26 BA 5D 11 A7 7D Qi......07&.]..} 020 : E8 73 61 D1 ED 39 10 60 A5 4F D0 E6 CC E7 8E 50 .sa..9.`.O.....P 030 : 5F 9A 47 AF 43 94 6D 6B CA 84 CD 55 89 E1 BD 03 _.G.C.mk...U....
Attachment:
udp-1703-to-5400.txt.txt
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange UDP 5400 traffic Maarten (Mar 29)