Re: UDP port 500 traffic from two clients

From: Hugo van der Kooij (hvdkooij@vanderkooij.org)
Date: 01/28/02


Date: Mon, 28 Jan 2002 22:25:42 +0100 (CET)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: Incidents Mailing List <incidents@securityfocus.com>

On Mon, 28 Jan 2002, Gary Flynn wrote:

> Chris Wilkes wrote:
> >
> > I recently moved and changed IP addresses within my ISP's block and two
> > IP addresses from mediaone.net and home.com hit me a couple of times a
> > minute with a UDP request to port 500.
>
> Code Red and Nimda infected machines will reportedly generate port
> 500 traffic.

Port 500 is NOT part of CodeRed. I doubt that nimda uses them.

I get hit enough by them but just on port 80. To get a feel of what a
normal XS4ALL ADSL server get hit by have a look at:
http://hvdkooij.xs4all.nl/fwlog/

Only SMTP and HTTP is normal traffic and not logged there.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Can not print (print server is Win2000 machine)
    ... Hit the offline button ... Standard Port Monitor ... Click Start, point to Settings, and then click Printers. ... Click Standard TCP/IP Port, ...
    (microsoft.public.win2000.general)
  • Linksys Cable/DSL router Port Forwarding
    ... I have a web server running on the static IP for testing ... LAN using the internal IP and/or I want to hit it using the external IP ... I have internet access on all three machines. ... I have opened port 8090 in port forwarding for the static IP that the NT 4 ...
    (comp.security.firewalls)
  • Re: Git via a proxy server?
    ... Doesn't even appear to hit the proxy server. ... MIS had opened up the port ... Try using the HTTP protocol. ...
    (Linux-Kernel)
  • Re: Questions about "net" messenger service (NOT MSN Messenger)
    ... >Sorry for being so the redundant question, but port 135 is used by the ... loophole in the messenger service and hence display adverts. ... malicious programs can get through to hit other loopholes - this is how ... fix was available three weeks before BLAST hit) - but there may be other ...
    (microsoft.public.windowsxp.general)
  • re: Syn packets hitting port 80, not webserver
    ... Syn packets hitting port 80, ... Most hit twice ... Listen to your Yahoo! ...
    (Incidents)