Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Strange UDP packets to non-existent network.

From: Christopher Lyon (cslyonnetsvcs.com)
Date: Mon Aug 18 2003 - 17:38:54 CDT

I am seeing something odd and wanted to run it by everybody. Below are
some packet captures for everybody's review. The is our
exchange server running on Windows 2000. It is constantly streaming out
these UDP packets to,, and a few other
192.168.x.x addresses. The dominant ones are and They all have the same rotating payload but the dst udp
ports start at 1658+ and 1677+. So, you are saying at this point, what's
the big deal, so something is talking to, 73.1 and xx.xx on
your internal network? Well we don't use these addresses at all and
never have used these. So, the question is, what is this box trying to
do? Has anybody seen this?

Header and Payload
14:52:54.907608 > udp 8
000 : E8 28 1A 01 CB 44 F9 77 .(...D.w

Header and Payload
14:52:54.908789 > udp 8
000 : E8 28 4C 01 CB 44 F9 77 .(L..D.w

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: