Snort mailing list archives
Norton AntiVirus Client Installation Server
From: Phil Wood <cpw () lanl gov>
Date: Fri, 25 Jul 2003 13:31:39 -0600
Folks, If you have ever wanted to know what might be listening on udp port 38293 on your network, or, why you might see "scans" to it, then read on. I believe the systems listening on this port are Windows clients of a Nortan AntiVirus Client "server". The reason I am seeing probably more than my share of scans from various servers around the Internet to port 38293 is that one of our networks is: 192.16.22.0 (which could be a bastardization of 192.168.22.0 (one of the non-routable type address used for internal networks). The udp packets have the following properties: IP total length: 44 IP Protocol: 17 UDP destination port: 38293 First 4 bytes of data: 0x020a00c0 Remaining bytes are one of two hex strings: 1. 4c445650 4869434d 00000000 0000: "LDVPHiCM..." 2. 4869434d 4869434d 00000000 0000: "HiCMHiCM..." What cinched it for me was taking the source IP address of these packets and seeing if it might be listening to port 80 [for me this trick sometimes helps to understand an unresolvable IP address]. Lo and Behold: =========== modified html ==================================================== [html] [head] [meta NAME="GENERATOR" Content="Microsoft Developer Studio"] [meta HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1"] [meta NAME="Copyright" Content="Copyright 2001 Symantec Corporation"] [!-- Norton AntiVirus Client Installation --] [!-- Copyright 2001 Symantec Corporation --] [title]Norton AntiVirus Client Installation </title] [/head] [frameset COLS="100%,*"] [frame SRC="OSCheck.htm"] [/frameset] [noframes] [b] This browser does not support FRAMESET. Please use Internet Explorer 4.0 or Higher. If you need assistance, please contact your system administrator or help desk staff. [/b] [/noframes] [/html] ============================================================================== I assume that most if not all of the symantec packets are benign, and the inordanant number that I see is just the luck of the draw. Later, Phil -- Phil Wood, cpw () lanl gov ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Norton AntiVirus Client Installation Server Phil Wood (Jul 25)
- Timestamps in ACID don't match Jason Whitson (Jul 25)