Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


UDP 28431 Scans
.

  • To: [EMAIL PROTECTED]
  • Subject: UDP 28431 Scans
  • From: Crist Clark <[EMAIL PROTECTED]>
  • Date: Mon, 08 Jan 2001 23:13:02 +0100
.
 
We recently had a scan on UDP port 28431 walk across a number of class-C
sized networks. Here is a partial log entry,

 .
 .
 .
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.100:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.101:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.102:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.103:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.104:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.105:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.106:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.107:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.108:28431 29
 6Jan2001  7:38:46   drop >hme0  udp 211.194.93.98:28432 -> aaa.bbb.ccc.109:28431 29
 .
 .
 .

Note the source port never changes from 28432. About 1024 addresses were
covered without the timestamp rolling off of the same second. Then about
22 second later, the scan went across another net displaced from the others
by about 23808 addresses. Someone found a nice wide pipe in S. Korea to
scan the world through, huh?

I have not been able to find any definate information on what tool is
creating this or what is being searched for. Months ago on
[EMAIL PROTECTED] it was hypothesized that this is an alternate
port for Hack'a'tack (usually associated with ports 31789/udp or 31791/udp),
but the evidence does not look conclusive,

  http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D49967

A look at SANS GIAC, http://www.sans.org/giac.htm shows a lot of activity on
these ports starting about a year ago and occasional outbreaks since. However,
no one seems to have a clue what it is. Does anyone out there have an idea
what tool created this or what is being sought? Anyone have further ideas on
the Hack'a'tack theory? Thanks.
--
Crist J. Clark                                Network Security Engineer
[EMAIL PROTECTED]                    Globalstar, L.P.
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.