OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Crist Clark (crist.clarkGLOBALSTAR.COM)
Date: Mon Jan 08 2001 - 15:30:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    We recently had a scan on UDP port 28431 walk across a number of class-C
    sized networks. Here is a partial log entry,

     .
     .
     .
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.100:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.101:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.102:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.103:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.104:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.105:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.106:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.107:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.108:28431 29
     6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 -> aaa.bbb.ccc.109:28431 29
     .
     .
     .

    Note the source port never changes from 28432. About 1024 addresses were
    covered without the timestamp rolling off of the same second. Then about
    22 second later, the scan went across another net displaced from the others
    by about 23808 addresses. Someone found a nice wide pipe in S. Korea to
    scan the world through, huh?

    I have not been able to find any definate information on what tool is
    creating this or what is being searched for. Months ago on
    INCIDENTSSECURITYFOCUS.COM it was hypothesized that this is an alternate
    port for Hack'a'tack (usually associated with ports 31789/udp or 31791/udp),
    but the evidence does not look conclusive,

      http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D49967

    A look at SANS GIAC, http://www.sans.org/giac.htm shows a lot of activity on
    these ports starting about a year ago and occasional outbreaks since. However,
    no one seems to have a clue what it is. Does anyone out there have an idea
    what tool created this or what is being sought? Anyone have further ideas on
    the Hack'a'tack theory? Thanks. 

    --
Crist J. Clark                                Network Security Engineer
crist.clarkglobalstar.com                    Globalstar, L.P.