Re: 31337 udp, on cisco...?

From: Daniel Martin (dtmartin24at_private)
Date: Wed Apr 18 2001 - 11:05:42 PDT

  • Next message: Joe Hamelin: "Re: 31337 udp, on cisco...?"

    w1re p4ir <w1rep4irat_private> writes:
    
    > Hello all,
    
    > Ok I recently completed an audit of a company. I noticed they had
    > 31337 udp on a couple dev's/hosts... Could this be some type of
    
    What do you mean by this?  Do you mean that the cisco router in
    question was listening for UDP packets to port 31337?  And how do you
    know that it was actually listening for these packets instead of
    simply blocking them?  (nmap's standard -sU scan can't tell the
    difference; indeed, unless the router sends a response, nothing can
    tell the difference)
    
    31337 (i.e. "ElEET") is a common number that crackers and scripties
    have been putting into their scripts for ages and ages; is it possible
    that cisco simply blocks this port by default?  What about udp port
    31337 packets sent across this router (i.e. from a machine on one side
    to a machine on the other side)?  Do they get through?  What about tcp
    port 31337 connections across this router?  (It's also quite
    believable that if someone were to break into a cisco router, they'd
    make port 31337 their management port).  Northcutt's _Network_
    _Intrusion_Detection_ recommends that any ids flag packets to or from
    port 31337, or with any id/sequence number of 31337.
    
    The CDROM server I'd be a bit more wary of, as I don't know why it
    would be doing anything unusual to the packets it receives.
    



    This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 13:31:58 PDT