RE: Scanning Port UDP 4668

From: Lucas (Lucasat_private)
Date: Mon Jul 22 2002 - 09:36:34 PDT

Next message: incidents.nospam13@web-cities.net: "Re: China Experience ?"

Previous message: Patrick Andry: "Re: diagnose compromise on NT"
Maybe in reply to: Ken Grossman: "Scanning Port UDP 4668"
Next in thread: H C: "Re: Scanning Port UDP 4668"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I did all sorts of google searches and couldn't find anything known to run
on that port.  Are these just dropped packets being logged?  It could be
coming from streaming media content that picks from the dynamic port range.
If your firewall is using a form of dynamic packet filtering where it opens
temporary holes for sessions that originate on the inside, it's important to
remember that UDP sessions are approximated and a lot of packets can be
dropped.

See if there's a PTR DNS record for the source IP.  Also, check the source
IPs netblock ownership (WHOIS ARIN's database) to see if that might give
some clues.  http://www.arin.net/

	If this doesn't help and you don't get any good info on that port,
get us all a network trace if possible or at the very least, the
syslog/firewall log.

-Lucas


-----Original Message-----
From: Ken Grossman [mailto:kgrossmanat_private]
Sent: Monday, July 22, 2002 8:47 AM
To: incidentsat_private
Subject: Scanning Port UDP 4668

All,

One of the groups that I support has been seeing a lot of scanning for UDP
port 4668.  Before you ask, they did not quantify "a lot".  One of the
questions that they have is what are the scanners looking for that is
running on that port.  I checked the IANA port listing at
www.iana.org/assignments/port-numbers and found that the port number (TCP
and UDP) is unassigned.  I also performed a check on the SecurityFocus site
to see if this had bee discussed before but found nothing on it.  Does
anyone know what could be running on that port number?  Thanks for your
assistance.


Ken Grossman, CISSP
kgrossmanat_private
(202) 401-7142


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: incidents.nospam13@web-cities.net: "Re: China Experience ?"
Previous message: Patrick Andry: "Re: diagnose compromise on NT"
Maybe in reply to: Ken Grossman: "Scanning Port UDP 4668"
Next in thread: H C: "Re: Scanning Port UDP 4668"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 09:53:54 PDT