OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Fitch, Brian (ISSAtlanta) (BFitchiss.net)
Date: Sat Mar 31 2001 - 20:33:31 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    Hello!

    From: http://www.sans.org/y2k/092300.htm

    September 23, 2000
    Handler on Duty: Stephen Northcutt (Comments in parentheses - send all
    reports to intrusionsans.org)
    Infocon: Green

    This is a fun issue, be sure to catch the write ups of the community working
    together to solve the mystery of the local UDP traffic to 38293, fun read! I
    still remember the first time those Symantec kids got me spinning around!
    Why are all these ICMP echo requests leaving the base and headed for
    ping.symantec.com. Turns out to be a network speedometer that shipped with
    Norton something or other. The rest of the story is they didn't tell their
    ISP what they were doing, what do you suppose the traffic looked like to
    them, hehe, the worlds largest smurf reflection! I hope as the Axent folks
    infiltrate they will be just a bit more friendly to intrusion analysts and
    start posting the signatures of their "value added" network applications on
    GIAC. S.

    From:
    http://www.securityportal.com/buffy/buffy20001012.printerfriendly.html

    Question: Do you know what UDP port 38293 is used for? I'm seeing this on
    firewall logs from multiple machines.

    Greag Johnson
     
    Answer: I found several mentions of this port, though not in assigned
    numbers or well-known Trojans. I was able, however, to find a mention on the
    SANS site. Various firewall and IDS lists also contain mentions of this port
    from a variety of different people, so it is probably a modified Trojan
    program. Many allow easy modification of which port they listen on, to help
    evade detection. Your mystery port is probably some variant in use by an
    attacker.

    Buffy (buffysecurityportal.com)

    Cheers,

    Brian
     
    -----Original Message-----
    From: Alexey V. Lukatsky [mailto:lukainfosec.ru]
    Sent: Friday, March 30, 2001 2:04 AM
    To: 'issforumiss.net'
    Subject: What is port 38293/udp?

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any
    problems!
    ----------------------------------------------------------------------------

    Hello!

            What is port 38293/udp?

    Best regards,
    Alexey Lukatsky Tel/fax: +7 095 289 8998
    Deputy Head of Department (ICT, CCSE) E-mail: lukainfosec.ru
    NIP "Informzaschita", Russia WWW: http://www.infosec.ru