wierd: udp port 0 traffic

From: Gianni Tedesco (gianniat_private)
Date: Mon Jan 27 2003 - 03:57:10 PST

Next message: Ian O'Brien: "MS SQL server worm logs question"

Previous message: Carlo Ottaviani: "Re: SNMP Weirdness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looking through my IDS logs this morning, found a very wierd little
probe a couple of weeks ago. Anyone seen anything like this before?

$ firecat ./db --format ascii --query "sid=525"
  packet: 2003-01-18 15:48:31.267261 len=126 caplen=126
   alert: [sig.udp] BAD TRAFFIC udp port 0 traffic (sid=525.4 prio=3)
   linux: if33554432:unicast - 256
      ip: 81.86.64.211 > 212.69.230.191 ttl=114 proto=17 len=46
     udp: 21614 > 0 len=26 csum=0xdc1
    data: Application layer data (18 bytes)
00000 : ............P.P. 01 00 00 00 2E 00 00 00 2E 00 00 00 50 00 50 00
00010 : Ow)>............ 4F 77 29 3E FD 13 04 00 00 00 00 00 00 00 00 00
00020 : ..............{. 11 00 08 00 02 00 00 00 01 00 00 06 00 09 7B C6
00030 : ................ A4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00040 : ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050 : E.......r.^.QV@. 45 00 00 2E 9C F5 00 00 72 11 5E 9B 51 56 40 D3
00060 : .E..Tn........JI D4 45 E6 BF 54 6E 00 00 00 1A 0D C1 08 13 4A 49
00070 : ....abcdefghij   02 00 01 00 61 62 63 64 65 66 67 68 69 6A

  packet: 2003-01-18 15:49:01.070234 len=126 caplen=126
   alert: [sig.udp] BAD TRAFFIC udp port 0 traffic (sid=525.4 prio=3)
   linux: if33554432:unicast - 256
      ip: 81.86.64.211 > 212.69.230.191 ttl=114 proto=17 len=46
     udp: 21618 > 0 len=26 csum=0xdbd
    data: Application layer data (18 bytes)
00000 : ............P.P. 01 00 00 00 2E 00 00 00 2E 00 00 00 50 00 50 00
00010 : mw)>Z........... 6D 77 29 3E 5A 12 01 00 00 00 00 00 00 00 00 00
00020 : ..............{. 11 00 08 00 02 00 00 00 01 00 00 06 00 09 7B C6
00030 : ................ A4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00040 : ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050 : E.......r.^.QV@. 45 00 00 2E 9D 01 00 00 72 11 5E 8F 51 56 40 D3
00060 : .E..Tr........JI D4 45 E6 BF 54 72 00 00 00 1A 0D BD 08 13 4A 49
00070 : ....abcdefghij   02 00 01 00 61 62 63 64 65 66 67 68 69 6A

  packet: 2003-01-18 15:49:36.001479 len=126 caplen=126
   alert: [sig.udp] BAD TRAFFIC udp port 0 traffic (sid=525.4 prio=3)
   linux: if33554432:unicast - 256
      ip: 81.86.64.211 > 212.69.230.191 ttl=114 proto=17 len=46
     udp: 21620 > 0 len=26 csum=0xdbb
    data: Application layer data (18 bytes)
00000 : ............P.P. 01 00 00 00 2E 00 00 00 2E 00 00 00 50 00 50 00
00010 : .w)>............ 90 77 29 3E C7 05 00 00 00 00 00 00 00 00 00 00
00020 : ..............{. 11 00 08 00 02 00 00 00 01 00 00 06 00 09 7B C6
00030 : ................ A4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00040 : ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050 : E.......r.^.QV@. 45 00 00 2E 9D 0D 00 00 72 11 5E 83 51 56 40 D3
00060 : .E..Tt........JI D4 45 E6 BF 54 74 00 00 00 1A 0D BB 08 13 4A 49
00070 : ....abcdefghij   02 00 01 00 61 62 63 64 65 66 67 68 69 6A

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

application/pgp-signature attachment: This is a digitally signed message part

Next message: Ian O'Brien: "MS SQL server worm logs question"
Previous message: Carlo Ottaviani: "Re: SNMP Weirdness"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 09:22:11 PST