OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: UDP Probes (?) from port 28432 to 28431 ?
From: Klaus Moeller (moellerCERT.DFN.DE)
Date: Tue Mar 07 2000 - 10:17:36 CST

-----BEGIN PGP SIGNED MESSAGE-----

Xander Jansen writes:

> Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few
> reports the last months about rather persistent and recurring subnet-scans
> targetted at this specific port. All the probes are short UDP packets with
> source port 28432 and destination port 28431. Typical pattern is also that
> within a few seconds a complete subnet (/24 for example) is probed on this
> port (and this port only). (I'm sorry to say that we don't have any info
> on the contents of these packets yet).
>
> I was wondering if anyone knows about either a valid or malicious
> application using these ports (I couldn't find any reference in the usual
> portlists) ?

The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789)
Perhaps somebody has changed the configs ?

We haven't seen scans like that so far.

        Klaus Moeller

- --
Klaus Moeller | mailto:moellercert.dfn.de
DFN-CERT GmbH |
Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262
D-22527 Hamburg | FAX: +49(40)42883-2241
Germany | PGP-Key: finger moellerftp.cert.dfn.de

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQEVAwUBOMUrgYrEggYLt8j5AQFB9gf9EYi8XTEcoSwRZotyOrfEdxixglYfwiN6
t44AxYyx4BadCMP0wrAaysJY54ZlTx2E0jCXn6ky9HeNUX1TqjwbyjAsSMHQXBIk
DBkngamSPFBf/zpE5ihcZ/A2DjeEwWZdpveqMLdHvh0rXqmLxxZSCLMMIUUDU1lW
g7wT5UJbFwojliy7oxF3hlm+SBvlUN3+0rtSHssSWjRZ22bhgllQdgLFczIC1Bum
s5BGg1+uxiC5uqL69FPN6lPob/TnhdS1pSX19oIV8itD61vXOdXr6IkCJDzqlRW5
cToKzrDYQts44hbn2D9i7dUJ1oTToFxixaUFHfbPhZ1ksv5L7+qwEA==
=onH9
-----END PGP SIGNATURE-----