OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Fearnow (mattSANS.ORG)
Date: Mon Jan 08 2001 - 16:27:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     From what I know this is Hack a tack.

    http://www.hack-a-tack.com/

    and the post by Matt S, says the same
    http://www.sans.org/y2k/062300-1430.htm post by Matt Scarborough

    Matt Fearnow
    SANS GIAC Incident Handler
    mattsans.org

    At Monday 1/8/2001 04:30 PM, Crist Clark wrote:
    >We recently had a scan on UDP port 28431 walk across a number of class-C
    >sized networks. Here is a partial log entry,
    >
    > .
    > .
    > .
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.100:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.101:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.102:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.103:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.104:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.105:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.106:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.107:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.108:28431 29
    > 6Jan2001 7:38:46 drop >hme0 udp 211.194.93.98:28432 ->
    > aaa.bbb.ccc.109:28431 29
    > .
    > .
    > .
    >
    >Note the source port never changes from 28432. About 1024 addresses were
    >covered without the timestamp rolling off of the same second. Then about
    >22 second later, the scan went across another net displaced from the others
    >by about 23808 addresses. Someone found a nice wide pipe in S. Korea to
    >scan the world through, huh?
    >
    >I have not been able to find any definate information on what tool is
    >creating this or what is being searched for. Months ago on
    >INCIDENTSSECURITYFOCUS.COM it was hypothesized that this is an alternate
    >port for Hack'a'tack (usually associated with ports 31789/udp or 31791/udp),
    >but the evidence does not look conclusive,
    >
    >
    >http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75%26mid%3D49967
    >
    >A look at SANS GIAC, http://www.sans.org/giac.htm shows a lot of activity on
    >these ports starting about a year ago and occasional outbreaks since.
    >However,
    >no one seems to have a clue what it is. Does anyone out there have an idea
    >what tool created this or what is being sought? Anyone have further ideas on
    >the Hack'a'tack theory? Thanks.
    >--
    >Crist J. Clark Network Security Engineer
    >crist.clarkglobalstar.com Globalstar, L.P.