Security Incidents mailing list archives
udp and dst port 1026
From: Jens Hektor <hektor () rz rwth-aachen de>
Date: Tue, 02 Dec 2003 00:20:38 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hi, [original posting] starting around Nov 22 and increasing from Nov 24 until today I see packets floating around from various sources to almost any IP of our networks. Payload are two bytes with value zero. Any idea what this could be? [as the moderator requested more info, here it comes] Actually the whole thing started at November 19th and it has an exponential increase in the logs of our Cisco-ACL'd networks (about the equivilance of 40-60 Class-C's). A short packet dump reveales a netbios query for the netbios name of the machine followed by a "miniportscan" towards ports 1026-1031: ~ 0.000000 92 A.248.165.142 1041 B.226.246.145 137 NBNS Name query NBSTAT ~ <00><00><00><00><00><00><00><00><00><00><00><00><00><00><00> ~ 0.000375 60 A.248.165.142 1042 B.226.246.145 1026 UDP Source port: 1042 Destination port: 1026 ~ 0.001249 60 A.248.165.142 1043 B.226.246.145 1027 UDP Source port: 1043 Destination port: 1027 ~ 0.001250 60 A.248.165.142 1044 B.226.246.145 1028 UDP Source port: 1044 Destination port: 1028 ~ 0.001373 60 A.248.165.142 1045 B.226.246.145 1029 UDP Source port: 1045 Destination port: 1029 ~ 0.001750 60 A.248.165.142 1046 B.226.246.145 1030 UDP Source port: 1046 Destination port: 1030 ~ 0.002373 60 A.248.165.142 1047 B.226.246.145 1031 UDP Source port: 1047 Destination port: 1031 At the moment the traffic is not very high but it's really noticable in pour packet filter logs. We have now there about 3000 denied accesses/h spread over various lists. It should be easily detectable in your packet filter logs, too. And: if it keeps increasing with the same rate, we here will have a real problem in some days. Bye, Jens Hektor P.S. It's already tracked at the DFN-CERT #44733 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBP8vMxRsVN+J7zzuXAQGD5QgAkKLb7Ssn/c/KBnMuliyVXG2h4R+iqDox O7pzZ1+KXsVKrj+WY+PIwK7fAdX2hoWPkgU6/Md7UJI7MI2ue0e4nBz6SADG82Sl oyB4+VTLxo5rmSrhjSFI30ujDz4Py6SuQuZQuyAT/czNEKDG6PG4n6FZS7j0Axm8 Zkcm6h4WOy/+h/SOr7nPdxs6GLu4Z+eJv7RGXUpQ7xZ/KUWsuQ2/HKDxaY9Xk07r 0JZS9i1G7FTMoYd46q9u1qn8lOMs0TQAfvQXMWZoqIidUNnCLHFuvKpHrTYK4p8t c4MmUC7rd8oXL0OElVBpdidk5TeyL32Aj4je8TQCnUEaWMoNEq6wPw== =wxNi -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- udp and dst port 1026 Jens Hektor (Dec 01)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 02)
- Re: udp and dst port 1026 Thomas Preissler (Dec 03)
- Re: udp and dst port 1026 Ockey (Dec 03)
- RE: udp and dst port 1026 Lawrence Baldwin (Dec 04)
- RE: udp and dst port 1026 Jeff Bryner (Dec 05)
- RE: udp and dst port 1026 jamesworld (Dec 07)
- Re: udp and dst port 1026 Cedric Foll (Dec 02)
- Re: udp and dst port 1026 Bill McCarty (Dec 01)