UDP/41170

alaric_at_alaricsecurity.com
Date: 06/17/03

Next message: Tim Recher: "Re: Wierd Profile in Document Settings"

Previous message: Anders Reed Mohn: "Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
Next in thread: Aaron Cheek: "Re: UDP/41170"
Maybe reply: Aaron Cheek: "Re: UDP/41170"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 17 Jun 2003 09:22:53 -0000
To: incidents@securityfocus.com

('binary' encoding is not supported, stored as-is)

Hi,

It is about 2:00 am here in California and for about the last hour since I
got onto my pc, I have see a lot of traffic blocked by ZoneAlarm with a
that was trying to connect to my box on udp port 41170.

I started running Ethereal after I saw he first 10 packets or so. Ethereal
identified the first udp/41170 packet it saw as being part of the "slimp3"
protocol. The funny thing is that it hasn't identified the "slimp3"
protocol since.

The source address of the packets are almost all different as are the
source ports (which are all udp and pretty high up ports). I did check out
a little over a dozen address and they are from broadband companies and
some foreign countries.

I have been checking the packet contents in Ethereal and the content looks
different in each packet.

Just wanted to compare notes with anyone else out there and I'm sorry if I
have wasted anyone's time with this post.

Later,
B. Thomason

P.S. There were about three posts or so back in March of this year about
this kind of activity.

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Tim Recher: "Re: Wierd Profile in Document Settings"

Previous message: Anders Reed Mohn: "Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
Next in thread: Aaron Cheek: "Re: UDP/41170"
Maybe reply: Aaron Cheek: "Re: UDP/41170"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: I am sick of windows firewall
... I use the AnalogX IPsec rules to supplement BlackIce ... need IPsec to stop outbound that BlackIce cannot do by ... attempts on the Windows networking ports even though BI ... supplemental packet filtering solution. ...
(comp.security.firewalls)
Re: N00b Question
... There is a great product called packet shaper by packetteer. ... AIM, iTunes, etc... ... ports and IP's this device will detect it. ... > For MSN/yahoo chat you can block the ports in your external firewall. ...
(Security-Basics)
Re: WSAAsyncSelect stopped working
... the utility sends out a UDP back and waits for an ACK using ... is blocking any ports. ... the receipt of a packet, ... Netstat -a shows the UDP port on the PC side open. ...
(microsoft.public.win32.programmer.networks)
Re: Stateful Packet Inspection Firewall
... and inspects packet contents for legality. ... > ports but also controls which applications can access the net / listen ... Presumably SPI does not place any restrictions on client ... explicit or implicit rule within the rulebase, ...
(comp.security.firewalls)
Re: Speed Mismatch?!?
... Try a test with an iperf buffer of less than 1 packet. ... local performance by setting the TCP Receive Window to ... the buffers between Gi ports and Fa ports are not working ... then adding a "buffering" switch to the path would help. ...
(comp.dcom.sys.cisco)