UDP packets towards port 38293 (NAV)

• Previous message: Keith Bergen: "Logs showing GET /.hash=..."
• Next in thread: Nexus: "Re: UDP packets towards port 38293 (NAV)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I picked this up this afternoon (timestamps are Eastern US).

The packets contain (alternating) the following strings:

			LDVPHiCM and HiCMHiCM

Searching (google is your friend) on these strings shows very
little in the way of information (only 3 hits between the two
strings), both of which are queries similar to mine.

The port being hit is associated with Norton Antivirus, but from
my reading, it seems that the destination port (38293) would be
the one that I would contact at Symantec for updates, and not
something that I would have open.  This leaves me with a worry
that someone has a tool that is using the fact that people have
poked holes in their firewalls for NAV updates to communicate
with malware of some sort.

Note that the block from 193 -> 247 is not in use and is arpd'd
to a sniffer box.  I must say that it was nice of them to do all
of this in under 3 seconds, but the IP addresses targeted
confuse me.  [Networking is hard, let's go shopping!]

17:19:09.296363 203.213.110.206.10000 > w.x.y.193.38293: udp 16
17:19:09.303041 203.213.110.206.10000 > w.x.y.193.38293: udp 16
17:19:09.309982 203.213.110.206.10000 > w.x.y.193.38293: udp 16
17:19:09.316074 203.213.110.206.10000 > w.x.y.193.38293: udp 16
17:19:09.322687 203.213.110.206.10000 > w.x.y.193.38293: udp 16
17:19:09.329021 203.213.110.206.10000 > w.x.y.193.38293: udp 16
17:19:09.345791 203.213.110.206.10000 > w.x.y.194.38293: udp 16
17:19:09.352420 203.213.110.206.10000 > w.x.y.194.38293: udp 16
17:19:09.358861 203.213.110.206.10000 > w.x.y.194.38293: udp 16
17:19:09.365715 203.213.110.206.10000 > w.x.y.194.38293: udp 16
17:19:09.373142 203.213.110.206.10000 > w.x.y.194.38293: udp 16
17:19:09.378977 203.213.110.206.10000 > w.x.y.194.38293: udp 16
17:19:09.395589 203.213.110.206.10000 > w.x.y.195.38293: udp 16
17:19:09.402505 203.213.110.206.10000 > w.x.y.195.38293: udp 16
17:19:09.408878 203.213.110.206.10000 > w.x.y.195.38293: udp 16
17:19:09.417872 203.213.110.206.10000 > w.x.y.195.38293: udp 16
17:19:09.422089 203.213.110.206.10000 > w.x.y.195.38293: udp 16
17:19:09.428603 203.213.110.206.10000 > w.x.y.195.38293: udp 16
17:19:09.445479 203.213.110.206.10000 > w.x.y.196.38293: udp 16
17:19:09.451856 203.213.110.206.10000 > w.x.y.196.38293: udp 16
17:19:09.459025 203.213.110.206.10000 > w.x.y.196.38293: udp 16
17:19:09.464943 203.213.110.206.10000 > w.x.y.196.38293: udp 16
17:19:09.472234 203.213.110.206.10000 > w.x.y.196.38293: udp 16
17:19:09.478420 203.213.110.206.10000 > w.x.y.196.38293: udp 16
17:19:09.495320 203.213.110.206.10000 > w.x.y.197.38293: udp 16
17:19:09.501420 203.213.110.206.10000 > w.x.y.197.38293: udp 16
17:19:09.508203 203.213.110.206.10000 > w.x.y.197.38293: udp 16
17:19:09.514619 203.213.110.206.10000 > w.x.y.197.38293: udp 16
17:19:09.521674 203.213.110.206.10000 > w.x.y.197.38293: udp 16
17:19:09.598461 203.213.110.206.10000 > w.x.y.199.38293: udp 16
17:19:09.604964 203.213.110.206.10000 > w.x.y.199.38293: udp 16
17:19:09.610835 203.213.110.206.10000 > w.x.y.199.38293: udp 16
17:19:09.617365 203.213.110.206.10000 > w.x.y.199.38293: udp 16
17:19:09.623929 203.213.110.206.10000 > w.x.y.199.38293: udp 16
17:19:09.631165 203.213.110.206.10000 > w.x.y.199.38293: udp 16
17:19:09.747221 203.213.110.206.10000 > w.x.y.202.38293: udp 16
17:19:09.753063 203.213.110.206.10000 > w.x.y.202.38293: udp 16
17:19:09.759860 203.213.110.206.10000 > w.x.y.202.38293: udp 16
17:19:09.766568 203.213.110.206.10000 > w.x.y.202.38293: udp 16
17:19:09.773305 203.213.110.206.10000 > w.x.y.202.38293: udp 16
17:19:09.779858 203.213.110.206.10000 > w.x.y.202.38293: udp 16
17:19:09.796992 203.213.110.206.10000 > w.x.y.203.38293: udp 16
17:19:09.803167 203.213.110.206.10000 > w.x.y.203.38293: udp 16
17:19:09.809659 203.213.110.206.10000 > w.x.y.203.38293: udp 16
17:19:09.816449 203.213.110.206.10000 > w.x.y.203.38293: udp 16
17:19:09.822728 203.213.110.206.10000 > w.x.y.203.38293: udp 16
17:19:09.829604 203.213.110.206.10000 > w.x.y.203.38293: udp 16
17:19:09.846380 203.213.110.206.10000 > w.x.y.204.38293: udp 16
17:19:09.853276 203.213.110.206.10000 > w.x.y.204.38293: udp 16
17:19:09.859144 203.213.110.206.10000 > w.x.y.204.38293: udp 16
17:19:09.866193 203.213.110.206.10000 > w.x.y.204.38293: udp 16
17:19:09.872490 203.213.110.206.10000 > w.x.y.204.38293: udp 16
17:19:09.879233 203.213.110.206.10000 > w.x.y.204.38293: udp 16
17:19:09.896778 203.213.110.206.10000 > w.x.y.205.38293: udp 16
17:19:09.902212 203.213.110.206.10000 > w.x.y.205.38293: udp 16
17:19:09.908695 203.213.110.206.10000 > w.x.y.205.38293: udp 16
17:19:09.916072 203.213.110.206.10000 > w.x.y.205.38293: udp 16
17:19:09.922400 203.213.110.206.10000 > w.x.y.205.38293: udp 16
17:19:09.929037 203.213.110.206.10000 > w.x.y.205.38293: udp 16
17:19:09.995261 203.213.110.206.10000 > w.x.y.207.38293: udp 16
17:19:10.001491 203.213.110.206.10000 > w.x.y.207.38293: udp 16
17:19:10.008402 203.213.110.206.10000 > w.x.y.207.38293: udp 16
17:19:10.015397 203.213.110.206.10000 > w.x.y.207.38293: udp 16
17:19:10.021393 203.213.110.206.10000 > w.x.y.207.38293: udp 16
17:19:10.028045 203.213.110.206.10000 > w.x.y.207.38293: udp 16
17:19:10.048372 203.213.110.206.10000 > w.x.y.208.38293: udp 16
17:19:10.054628 203.213.110.206.10000 > w.x.y.208.38293: udp 16
17:19:10.061257 203.213.110.206.10000 > w.x.y.208.38293: udp 16
17:19:10.068163 203.213.110.206.10000 > w.x.y.208.38293: udp 16
17:19:10.074371 203.213.110.206.10000 > w.x.y.208.38293: udp 16
17:19:10.081190 203.213.110.206.10000 > w.x.y.208.38293: udp 16
17:19:10.098405 203.213.110.206.10000 > w.x.y.209.38293: udp 16
17:19:10.104681 203.213.110.206.10000 > w.x.y.209.38293: udp 16
17:19:10.111016 203.213.110.206.10000 > w.x.y.209.38293: udp 16
17:19:10.117747 203.213.110.206.10000 > w.x.y.209.38293: udp 16
17:19:10.124654 203.213.110.206.10000 > w.x.y.209.38293: udp 16
17:19:10.130825 203.213.110.206.10000 > w.x.y.209.38293: udp 16
17:19:10.197558 203.213.110.206.10000 > w.x.y.211.38293: udp 16
17:19:10.204651 203.213.110.206.10000 > w.x.y.211.38293: udp 16
17:19:10.648175 203.213.110.206.10000 > w.x.y.220.38293: udp 16
17:19:10.654331 203.213.110.206.10000 > w.x.y.220.38293: udp 16
17:19:10.661106 203.213.110.206.10000 > w.x.y.220.38293: udp 16
17:19:10.667805 203.213.110.206.10000 > w.x.y.220.38293: udp 16
17:19:10.673906 203.213.110.206.10000 > w.x.y.220.38293: udp 16
17:19:10.680950 203.213.110.206.10000 > w.x.y.220.38293: udp 16
17:19:10.697578 203.213.110.206.10000 > w.x.y.221.38293: udp 16
17:19:10.703903 203.213.110.206.10000 > w.x.y.221.38293: udp 16
17:19:10.710508 203.213.110.206.10000 > w.x.y.221.38293: udp 16
17:19:10.717896 203.213.110.206.10000 > w.x.y.221.38293: udp 16
17:19:10.723439 203.213.110.206.10000 > w.x.y.221.38293: udp 16
17:19:10.731102 203.213.110.206.10000 > w.x.y.221.38293: udp 16
17:19:10.747813 203.213.110.206.10000 > w.x.y.222.38293: udp 16
17:19:10.753652 203.213.110.206.10000 > w.x.y.222.38293: udp 16
17:19:10.760133 203.213.110.206.10000 > w.x.y.222.38293: udp 16
17:19:10.766851 203.213.110.206.10000 > w.x.y.222.38293: udp 16
17:19:10.773693 203.213.110.206.10000 > w.x.y.222.38293: udp 16
17:19:10.780622 203.213.110.206.10000 > w.x.y.222.38293: udp 16
17:19:10.797075 203.213.110.206.10000 > w.x.y.223.38293: udp 16
17:19:10.803561 203.213.110.206.10000 > w.x.y.223.38293: udp 16
17:19:10.810573 203.213.110.206.10000 > w.x.y.223.38293: udp 16
17:19:10.816416 203.213.110.206.10000 > w.x.y.223.38293: udp 16
17:19:10.823278 203.213.110.206.10000 > w.x.y.223.38293: udp 16
17:19:10.829996 203.213.110.206.10000 > w.x.y.223.38293: udp 16
17:19:10.846828 203.213.110.206.10000 > w.x.y.224.38293: udp 16
17:19:10.852952 203.213.110.206.10000 > w.x.y.224.38293: udp 16
17:19:10.859896 203.213.110.206.10000 > w.x.y.224.38293: udp 16
17:19:10.866163 203.213.110.206.10000 > w.x.y.224.38293: udp 16
17:19:10.872729 203.213.110.206.10000 > w.x.y.224.38293: udp 16
17:19:10.879890 203.213.110.206.10000 > w.x.y.224.38293: udp 16
17:19:10.949660 203.213.110.206.10000 > w.x.y.226.38293: udp 16
17:19:10.955637 203.213.110.206.10000 > w.x.y.226.38293: udp 16
17:19:10.962704 203.213.110.206.10000 > w.x.y.226.38293: udp 16
17:19:10.969187 203.213.110.206.10000 > w.x.y.226.38293: udp 16
17:19:10.975218 203.213.110.206.10000 > w.x.y.226.38293: udp 16
17:19:10.981926 203.213.110.206.10000 > w.x.y.226.38293: udp 16
17:19:10.998912 203.213.110.206.10000 > w.x.y.227.38293: udp 16
17:19:11.005784 203.213.110.206.10000 > w.x.y.227.38293: udp 16
17:19:11.012627 203.213.110.206.10000 > w.x.y.227.38293: udp 16
17:19:11.019516 203.213.110.206.10000 > w.x.y.227.38293: udp 16
17:19:11.026019 203.213.110.206.10000 > w.x.y.227.38293: udp 16
17:19:11.032399 203.213.110.206.10000 > w.x.y.227.38293: udp 16
17:19:11.048837 203.213.110.206.10000 > w.x.y.228.38293: udp 16
17:19:11.054968 203.213.110.206.10000 > w.x.y.228.38293: udp 16
17:19:11.061621 203.213.110.206.10000 > w.x.y.228.38293: udp 16
17:19:11.068368 203.213.110.206.10000 > w.x.y.228.38293: udp 16
17:19:11.074925 203.213.110.206.10000 > w.x.y.228.38293: udp 16
17:19:11.081542 203.213.110.206.10000 > w.x.y.228.38293: udp 16
17:19:11.098484 203.213.110.206.10000 > w.x.y.229.38293: udp 16
17:19:11.104783 203.213.110.206.10000 > w.x.y.229.38293: udp 16
17:19:11.549297 203.213.110.206.10000 > w.x.y.238.38293: udp 16
17:19:11.555183 203.213.110.206.10000 > w.x.y.238.38293: udp 16
17:19:11.562323 203.213.110.206.10000 > w.x.y.238.38293: udp 16
17:19:11.568895 203.213.110.206.10000 > w.x.y.238.38293: udp 16
17:19:11.574903 203.213.110.206.10000 > w.x.y.238.38293: udp 16
17:19:11.581738 203.213.110.206.10000 > w.x.y.238.38293: udp 16
17:19:11.598596 203.213.110.206.10000 > w.x.y.239.38293: udp 16
17:19:11.604918 203.213.110.206.10000 > w.x.y.239.38293: udp 16
17:19:11.611837 203.213.110.206.10000 > w.x.y.239.38293: udp 16
17:19:11.618162 203.213.110.206.10000 > w.x.y.239.38293: udp 16
17:19:11.624814 203.213.110.206.10000 > w.x.y.239.38293: udp 16
17:19:11.631556 203.213.110.206.10000 > w.x.y.239.38293: udp 16
17:19:11.649513 203.213.110.206.10000 > w.x.y.240.38293: udp 16
17:19:11.655182 203.213.110.206.10000 > w.x.y.240.38293: udp 16
17:19:11.661208 203.213.110.206.10000 > w.x.y.240.38293: udp 16
17:19:11.668267 203.213.110.206.10000 > w.x.y.240.38293: udp 16
17:19:11.674362 203.213.110.206.10000 > w.x.y.240.38293: udp 16
17:19:11.681390 203.213.110.206.10000 > w.x.y.240.38293: udp 16
17:19:11.699055 203.213.110.206.10000 > w.x.y.241.38293: udp 16
17:19:11.705072 203.213.110.206.10000 > w.x.y.241.38293: udp 16
17:19:11.711439 203.213.110.206.10000 > w.x.y.241.38293: udp 16
17:19:11.717634 203.213.110.206.10000 > w.x.y.241.38293: udp 16
17:19:11.724165 203.213.110.206.10000 > w.x.y.241.38293: udp 16
17:19:11.730655 203.213.110.206.10000 > w.x.y.241.38293: udp 16
17:19:11.751688 203.213.110.206.10000 > w.x.y.242.38293: udp 16
17:19:11.756946 203.213.110.206.10000 > w.x.y.242.38293: udp 16
17:19:11.764775 203.213.110.206.10000 > w.x.y.242.38293: udp 16
17:19:11.770605 203.213.110.206.10000 > w.x.y.242.38293: udp 16
17:19:11.777283 203.213.110.206.10000 > w.x.y.242.38293: udp 16
17:19:11.784099 203.213.110.206.10000 > w.x.y.242.38293: udp 16
17:19:11.800849 203.213.110.206.10000 > w.x.y.243.38293: udp 16
17:19:11.806825 203.213.110.206.10000 > w.x.y.243.38293: udp 16
17:19:11.814628 203.213.110.206.10000 > w.x.y.243.38293: udp 16
17:19:11.820496 203.213.110.206.10000 > w.x.y.243.38293: udp 16
17:19:11.826906 203.213.110.206.10000 > w.x.y.243.38293: udp 16
17:19:11.833582 203.213.110.206.10000 > w.x.y.243.38293: udp 16
17:19:11.850923 203.213.110.206.10000 > w.x.y.244.38293: udp 16
17:19:11.856608 203.213.110.206.10000 > w.x.y.244.38293: udp 16
17:19:11.863384 203.213.110.206.10000 > w.x.y.244.38293: udp 16
17:19:11.870079 203.213.110.206.10000 > w.x.y.244.38293: udp 16
17:19:11.876349 203.213.110.206.10000 > w.x.y.244.38293: udp 16
17:19:11.883328 203.213.110.206.10000 > w.x.y.244.38293: udp 16
17:19:11.899923 203.213.110.206.10000 > w.x.y.245.38293: udp 16
17:19:11.906550 203.213.110.206.10000 > w.x.y.245.38293: udp 16
17:19:11.913061 203.213.110.206.10000 > w.x.y.245.38293: udp 16
17:19:11.920278 203.213.110.206.10000 > w.x.y.245.38293: udp 16
17:19:11.926277 203.213.110.206.10000 > w.x.y.245.38293: udp 16
17:19:11.932920 203.213.110.206.10000 > w.x.y.245.38293: udp 16
17:19:11.999583 203.213.110.206.10000 > w.x.y.247.38293: udp 16
17:19:12.005760 203.213.110.206.10000 > w.x.y.247.38293: udp 16

Packets available by request, and "is anyone else seeing this"?

AlanC {slowly working my way towards the GCIA objectives}
-- 
I must study politics and war that my sons     |
may have liberty to study mathematics and      |        alanat_private
philosophy. -- John Adams                      |

• application/pgp-signature attachment: stored

• Next message: Jason Falciola: "Re: New attack or old Vulnerability Scanner?"
• Previous message: Keith Bergen: "Logs showing GET /.hash=..."
• Next in thread: Nexus: "Re: UDP packets towards port 38293 (NAV)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 10:36:14 PDT