I am seeing something odd and wanted to run it by everybody. Below are some packet captures for everybody's review. The 192.168.254.4 is our exchange server running on Windows 2000. It is constantly streaming out these UDP packets to 192.168.40.1, 192.168.73.1, and a few other 192.168.x.x addresses. The dominant ones are 192.168.40.1 and 192.168.73.1. They all have the same rotating payload but the dst udp ports start at 1658+ and 1677+. So, you are saying at this point, what's the big deal, so something is talking to 192.168.40.1, 73.1 and xx.xx on your internal network? Well we don't use these addresses at all and never have used these. So, the question is, what is this box trying to do? Has anybody seen this? Header and Payload 14:52:54.907608 192.168.254.4.14884 > 192.168.40.1.1658: udp 8 000 : E8 28 1A 01 CB 44 F9 77 .(...D.w Header and Payload 14:52:54.908789 192.168.254.4.14889 > 192.168.40.1.1677: udp 8 000 : E8 28 4C 01 CB 44 F9 77 .(L..D.w --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 09:42:23 PDT