Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Re: High port UDP probe?
From: Mark Rowe (markWHATNOT.DEMON.CO.UK)
Date: Wed Apr 26 2000 - 11:27:08 CDT
- Next message: Robert Graham: "Re: Odd Firewall Entries"
- Previous message: Jon Burdge: "traffic logging"
- In reply to: Damian Gerow: "High port UDP probe?"
- Reply: Mark Rowe: "Re: High port UDP probe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In message <916B73552292D311B8AE0090277332B70AAE96INFERNO>, Damian
Gerow <damianITACTICS.COM> writes
This is most likely an automated scan looking for the trojan "Hack a
Tack". There are a number of web sites that maintain lists of common
Trojan/Backdoors and the TCP/UDP ports they use.
For example, http://www.onctek.com/trojanports.html
>This came up in our firewall:
>Apr 24 08:48:01 <hostname> kernel: Packet log: unserved DENY eth0
>PROTO=UDP 188.8.131.52:31790 xxx.xxx.xxx.xxx:31789 L=29:9 S=0x00
>What concerns me is both the destination port and the packet length.
>I'm assuming that L=29:9 means 29 for the whole packet size, and 9 is
>the UDP packet size. Take away the UDP header, leaves you 1? Am I
>reading this correctly?
-- Mark Rowe IT Security Consultant Xinetica Email: mark.rowexinetica.com