Strange UDP Activity

From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) (mlavelleat_private)
Date: Tue Apr 16 2002 - 08:36:25 PDT

Next message: Greg Estabrooks: "Re: Redhat 6.2 Honeypot Hacked"

Previous message: Kee Hinckley: "Re: <victim>server formmail.pl exploit in the wild"
Next in thread: Steve Vawter: "RE: Strange UDP Activity"
Reply: Steve Vawter: "RE: Strange UDP Activity"
Reply: Joe Kattner: "RE: Strange UDP Activity"
Reply: Rajiv Dighe: "RE: Strange UDP Activity"
Reply: Ryan Russell: "Re: Strange UDP Activity"
Reply: LAVELLE,MICHAEL (HP-PaloAlto,ex1): "RE: Strange UDP Activity"
Reply: Stephen Friedl: "Re: Strange UDP Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings to the List,

I recently started seeing strange UDP traffic to my home DSL, which is
included below. It has been active for the last 4 days at all hours. None of
these IPs are DNS servers that I use, and much of the activity is when all
of my computers are off. Google led me to port 1067 as being an SNMP port,
but I have SNMP disabled on all devices at home, and the ACL blocks it
anyway.

Is there a new vulnerability going around that I missed? So far I have not
read anything on the list that looks like this...any ideas?

Thanks for listening,

Mike
___________________________

Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
-> X.X.55.121(1067), 4 packets
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53)
-> X.X.55.121(1067), 4 packets
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53)
-> X.X.55.121(1067), 3 packets
Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53)
-> X.X.55.121(1067), 5 packets
Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) ->
X.X.55.121(1067), 1 packet
Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) ->
X.X.55.121(1067), 7 packets
Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) ->
X.X.55.121(1067), 7 packets
Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53)
-> X.X.55.121(1067), 7 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) ->
X.X.55.121(1067), 4 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) ->
X.X.55.121(1067), 3 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53)
-> X.X.55.121(1067), 6 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) ->
X.X.55.121(1067), 3 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) ->
X.X.55.121(1067), 3 packets
Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
-> X.X.55.121(1067), 3 packets

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Greg Estabrooks: "Re: Redhat 6.2 Honeypot Hacked"
Previous message: Kee Hinckley: "Re: <victim>server formmail.pl exploit in the wild"
Next in thread: Steve Vawter: "RE: Strange UDP Activity"
Reply: Steve Vawter: "RE: Strange UDP Activity"
Reply: Joe Kattner: "RE: Strange UDP Activity"
Reply: Rajiv Dighe: "RE: Strange UDP Activity"
Reply: Ryan Russell: "Re: Strange UDP Activity"
Reply: LAVELLE,MICHAEL (HP-PaloAlto,ex1): "RE: Strange UDP Activity"
Reply: Stephen Friedl: "Re: Strange UDP Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 09:43:38 PDT