Security Incidents mailing list archives
UDP destination port 0 probes
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Mon, 17 Nov 2003 21:09:07 -0500
We had an incident of several hundred of packets like the one below coming in, nearly simultaneously from multiple sources. My guess is that most of the sources are spoofed. It swept several class C networks in a few minutes. Targets appear to be valid name servers. The same spoofed IP's were used as sources on each scanned class C. Is this known traffic of some sort? Is there a new worm running around? Have I missed something everyone else already knows about? Generated by ACID v0.9.6b23 on Mon, 17 Nov 2003 21:04:14 -0500 ------------------------------------------------------------------------ ------ #(3 - 356) [2003-11-17 19:53:50] nessus[cve/CVE-1999-0675] [icat/CVE-1999-0675] [snort/525] BAD-TRAFFIC udp port 0 traffic IPv4: 66.119.33.133 -> X.X.X.112 hlen=5 TOS=0 dlen=64 ID=45750 flags=0 offset=0 TTL=1 chksum=25982 UDP: port=53 -> dport: 0 len=44 Payload: length = 36 000 : B2 B6 80 81 00 00 00 00 00 00 00 00 00 00 00 00 ................ 010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 020 : 00 00 00 00 .... ------------------------------------------------------------------------ ------ ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- UDP destination port 0 probes Keith T. Morgan (Nov 18)