Security Incidents mailing list archives
udp port 17304
From: <auto263187 () hushmail com>
Date: Fri, 15 Dec 2006 15:05:19 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anybody else seeing traffic to this port? I've had 10k nodes so far today get blocked at my firewall trying to access this port, i'm guessing it's a C&C net trying to do something but not positive yet. UDP payload(full packet below) is always 40 bytes but not always the same (some bytes are constant, others change) 25 bytes into the data in I see the source's public IP address. What's also wierd is I'm only seeing this traffic on one destination IP address, I've checked several other places and I don't see anything in the logs at those locations. Open to any thoughts/suggestions... Packet logged by pflog is below. IP packet starts at 0030, source has been masked with SS, dest is DD. 0000 2d 02 01 00 64 63 30 00 00 00 00 00 00 00 00 00 -...dc0. ......... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ......... 0020 00 00 00 00 00 00 00 05 ff ff ff ff 01 00 00 00 ........ ......... 0030 45 00 00 5b 58 52 00 00 72 11 20 99 SS SS SS SS E..[XR.. r. ..... 0040 DD DD DD DD 28 75 43 98 00 47 dd 10 8d ff 37 4e ....(uC. ..G....7N 0050 42 1d 3e 2e 00 00 04 04 24 04 fa f6 0f 00 00 00 B.>..... $....... 0060 00 00 0f 04 SS SS SS SS 5c 09 e4 6d 0d 5d 00 00 ........ \..m.].. 0070 01 0f 87 0f .... -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkWDKi8ACgkQxj3tm8IsgLEEVwP+NXebwV5yz++S0vFgH9euoV4J8pKv EgSNFEAKM4WPsniLh6s1M7n52jjtWtk3Qmxv8WvNcdpg0jOnAyQeoggkPlxivzsD/xCS JUOpgIMvOToNJbIsUTwXKaIep0/audlD3AQwE7lMkxROGBNwlX9MpFFilV6T7Uo+3xRW AinqdpU= =8Lb2 -----END PGP SIGNATURE----- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- udp port 17304 auto263187 (Dec 15)