Stray UDP activity?

From: sheib (sheibat_private)
Date: Fri Mar 08 2002 - 05:31:00 PST

Next message: Nathan W. Labadie: "increase in smb scans"

Previous message: blazin w: "Re: Compromised - Port 1524"
Next in thread: Jim Watt: "Re: Stray UDP activity?"
Reply: Jim Watt: "Re: Stray UDP activity?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Howdy list,

I got some strange udp activity on my production machine. I am positive it's
not due some of my doings; no dns servers running, no udp feeding 
daemons, etc.
Snort detects no threat either. This occurs somehow periodicly on every 
hour.
It's no udp scan. The very same ports are used all the time.


<snip>

05:56:47.258786 SRC.1028 > DST.38293:                           [udp sum 
ok] udp 16 (ttl 10, id 62722, len 44)
0x0000   4500 002c f502 0000 0a11 267e 816b 5146         E..,......&~.kQF
0x0010   c144 014b 0404 9595 0018 9fce 020a 00c0          .D.K............
0x0020   4c44 5650 4869 434d 0000 0000                            
 LDVPHiCM....

05:56:47.278756 SRC.1028 > DST.38293:                           [udp sum 
ok] udp 16 (ttl 10, id 62978, len 44)
0x0000   4500 002c f602 0000 0a11 257e 816b 5146         E..,......%~.kQF
0x0010   c144 014b 0404 9595 0018 b6ac 020a 00c0        .D.K............
0x0020   4869 434d 4869 434d 0000 0000                             
 HiCMHiCM....

05:56:48.988754 SRC.1028 > DST.38293:                           [udp sum 
ok] udp 16 (ttl 10, id 63234, len 44)
0x0000   4500 002c f702 0000 0a11 247e 816b 5146          E..,......$~.kQF
0x0010   c144 014b 0404 9595 0018 9fce 020a 00c0          .D.K............
0x0020   4c44 5650 4869 434d 0000 0000                              
 LDVPHiCM....

05:56:48.998759 SRC.1028 > DST.38293:                            [udp 
sum ok] udp 16 (ttl 10, id 63490, len 44)
0x0000   4500 002c f802 0000 0a11 237e 816b 5146          E..,......#~.kQF
0x0010   c144 014b 0404 9595 0018 b6ac 020a 00c0         .D.K............
0x0020   4869 434d 4869 434d 0000 0000                              
HiCMHiCM....

05:56:49.008759 SRC.1028 > DST.38293:                            [udp 
sum ok] udp 16 (ttl 10, id 63746, len 44)
0x0000   4500 002c f902 0000 0a11 227e 816b 5146           E..,......"~.kQF
0x0010   c144 014b 0404 9595 0018 9fce 020a 00c0           .D.K............
0x0020   4c44 5650 4869 434d 0000 0000                              
 LDVPHiCM....

05:56:49.018758 SRC.1028 > DST.38293:                             [udp 
sum ok] udp 16 (ttl 10, id 64002, len 44)
0x0000   4500 002c fa02 0000 0a11 217e 816b 5146            E..,......!~.kQF
0x0010   c144 014b 0404 9595 0018 b6ac 020a 00c0           .D.K............
0x0020   4869 434d 4869 434d 0000 0000                                
HiCMHiCM....

[...]


Mar  8 12:53:59 grind kernel: IN=ppp1 OUT= MAC= SRC=SRC DST=DST LEN=44 
TOS=0x00 PREC=0x00 TTL=10
ID=17674 PROTO=UDP SPT=1028 DPT=38293 LEN=24
Mar  8 13:54:22 grind kernel: IN=ppp1 OUT= MAC= SRC=SRC DST=DST LEN=44 
TOS=0x00 PREC=0x00 TTL=10
ID=18186 PROTO=UDP SPT=1028 DPT=38293 LEN=24

</snip>


0x0020s anyone?

/proc/net/udp claims:

  sl  local_address rem_address   st tx_queue rx_queue tr tm->when 
retrnsmt   uid  timeout inode

^^^^^^^^^^^^^^^^^^
no udp connections


[Wild] suggestions are welcome.


/s


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nathan W. Labadie: "increase in smb scans"
Previous message: blazin w: "Re: Compromised - Port 1524"
Next in thread: Jim Watt: "Re: Stray UDP activity?"
Reply: Jim Watt: "Re: Stray UDP activity?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 14:16:05 PST