w1re p4ir <w1rep4irat_private> writes: > Hello all, > Ok I recently completed an audit of a company. I noticed they had > 31337 udp on a couple dev's/hosts... Could this be some type of What do you mean by this? Do you mean that the cisco router in question was listening for UDP packets to port 31337? And how do you know that it was actually listening for these packets instead of simply blocking them? (nmap's standard -sU scan can't tell the difference; indeed, unless the router sends a response, nothing can tell the difference) 31337 (i.e. "ElEET") is a common number that crackers and scripties have been putting into their scripts for ages and ages; is it possible that cisco simply blocks this port by default? What about udp port 31337 packets sent across this router (i.e. from a machine on one side to a machine on the other side)? Do they get through? What about tcp port 31337 connections across this router? (It's also quite believable that if someone were to break into a cisco router, they'd make port 31337 their management port). Northcutt's _Network_ _Intrusion_Detection_ recommends that any ids flag packets to or from port 31337, or with any id/sequence number of 31337. The CDROM server I'd be a bit more wary of, as I don't know why it would be doing anything unusual to the packets it receives.
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 13:31:58 PDT