Hi all, Today my IDS detected some strange traffic on our network. One of the workstations (W98) of one of our administrators suddenly started a connection to an internet machine and tried to deliver packages on UDP port 5400 of that machine. Fortunately, UDP connections are not allowed from the internal to the external network, but still.... While investigating the workstation, nothing suspicious could be found, but it kept trying to reach that Internet machine. The closest trojan I could match to UDP5400 was bladerunnner ( (c) 1999 ), but the signature of bladerunner was not present on the client. Also neither a trojan checking program (pestpatrol) nor anti virus software (mcafee) noticed something sudpicious on the drives. Anyone here got any ideas, experienced something like this before or knows how to make some more sense out of the packets captured by snort (example attached to e-mail)? kind regards, maarten ================== Header: 4 5 0 60028 1282 0 0 128 60373 === length = 4063 000 : 7F 11 3F 16 13 60 8B 7A 99 04 97 9F 48 B8 CB 28 .?..`.z....H..( 010 : 51 69 BF 19 9B BD 0E 0F 30 37 26 BA 5D 11 A7 7D Qi......07&.]..} 020 : E8 73 61 D1 ED 39 10 60 A5 4F D0 E6 CC E7 8E 50 .sa..9.`.O.....P 030 : 5F 9A 47 AF 43 94 6D 6B CA 84 CD 55 89 E1 BD 03 _.G.C.mk...U....
This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 15:43:42 PST