RE: Strange UDP Activity

From: Steve Vawter (svawterat_private)
Date: Tue Apr 16 2002 - 10:05:48 PDT

  • Next message: Joe Kattner: "RE: Strange UDP Activity"

    According to my sources (<a href="http://www.iana.org/">Internet Assigned
    Numbers Authority</A>)
    port 1067/udp (&tcp) is for Installation Bootstrap Proto. Serv., whatever
    that means.  Where did you find SMTP?  SMTP lives on port 25/tcp.  Unless
    some sites run it in strange places for "security" through obscurity
    reasons.  Many scanners seem to be using a source of 53/udp recently (I see
    the same at home on a dialup) likely to make themselves part of the
    background DNS noise.  It doesn't work, we see you.  Stop.
    
    My comments are my own and have NOTHING to do with Zone Labs or it's
    policies.
    I'm just a UNIX geek after all.  ; }
    
    Steve Vawter
    UNIX SYSTEM ADMINISTRATOR
    Zone Labs, Inc.
    1060 Howard Street
    San Francisco CA 94103
    ph    415-341-8323
    fax   415-341-8299
    cell  510-409-9184
    pager 877-933-0549
    
    -----Original Message-----
    From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) [mailto:mlavelleat_private]
    Sent: Tuesday, April 16, 2002 8:36 AM
    To: incidentsat_private
    Subject: Strange UDP Activity
    
    
    Greetings to the List,
    
    I recently started seeing strange UDP traffic to my home DSL, which is
    included below. It has been active for the last 4 days at all hours. None of
    these IPs are DNS servers that I use, and much of the activity is when all
    of my computers are off. Google led me to port 1067 as being an SNMP port,
    but I have SNMP disabled on all devices at home, and the ACL blocks it
    anyway.
    
    Is there a new vulnerability going around that I missed? So far I have not
    read anything on the list that looks like this...any ideas?
    
    Thanks for listening,
    
    Mike
    ___________________________
    
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
    -> X.X.55.121(1067), 4 packets
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53)
    -> X.X.55.121(1067), 4 packets
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53)
    -> X.X.55.121(1067), 3 packets
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53)
    -> X.X.55.121(1067), 5 packets
    Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) ->
    X.X.55.121(1067), 1 packet
    Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) ->
    X.X.55.121(1067), 7 packets
    Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) ->
    X.X.55.121(1067), 7 packets
    Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53)
    -> X.X.55.121(1067), 7 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) ->
    X.X.55.121(1067), 4 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) ->
    X.X.55.121(1067), 3 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53)
    -> X.X.55.121(1067), 6 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) ->
    X.X.55.121(1067), 3 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) ->
    X.X.55.121(1067), 3 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
    -> X.X.55.121(1067), 3 packets
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 10:37:53 PDT