Re: Strange Port 0 Traffic

From: Francesca C Smith (fsmith_at_ladylinux.com)
Date: 11/14/03

  • Next message: Andre Ludwig: "RE: Strange Port 0 Traffic"
    Date: Fri, 14 Nov 2003 12:44:27 -0500
    To: <Josh.Berry@compucom.com>, <incidents@securityfocus.com>
    
    

    Hello,

    Yes I have been seeing a lot of this along with a Sharp

    uptick in sub-seven 27374 traffic .. Mostly from Korea ..

    Lady Linux
    At 05:41 PM 11/13/2003, Josh.Berry@compucom.com wrote:
    >I am seeing a lot of traffic lately coming from different external
    >sources using UDP originating from a source port of 10000 and coming to
    >my various firewall addresses with a destination port of 0.
    >
    >I ran tcpdump traces for this traffic both internally and externally for
    >about 2 weeks. The traces showed no internal servers/desktops/devices
    >making these connections, only external machines sending these packets
    >to the firewalls.
    >
    >The data in the packet is gibberish; looks like it might be encrypted.
    >Is anyone else seeing this kind of traffic?
    >
    >Attached is a sanitized trace of some of these packets.
    >
    >Josh Berry
    >Information Security Group
    >972-856-5402
    >
    >
    >---------------------------------------------------------------------------
    >Network with over 10,000 of the brightest minds in information security
    >at the largest, most highly-anticipated industry event of the year.
    >Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    >see demos from more than 250 industry vendors. If your job touches
    >security, you need to be here. Learn more or register at
    >http://www.securityfocus.com/sponsor/RSA_incidents_031023
    >and use priority code SF4.
    >----------------------------------------------------------------------------

    "No Problems Only Solutions"
    Francesca C. Smith
    Lady Linux Internet Services
    fsmith@ladylinux.com

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------


  • Next message: Andre Ludwig: "RE: Strange Port 0 Traffic"

    Relevant Pages

    • Re: Linux based HIDS
      ... the file level audit and some extras on Linux. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)
    • new ADMscript worm ?
      ... FrontPage/4.0.4.3 mod_perl/1.25 on Linux ... Anonther one is running: ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • RE: CEH and Intense School
      ... Q-How many times has this course been delivered ... You want more than 4 to know the bugs are ironed out in labs and so on. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Pen-Test)
    • RE: New Trojan
      ... and discovered that there is an option to scan ADS, ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • RE: Probable Trojan.
      ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... Don't miss RSA Conference 2004! ... Choose from over 200 class sessions and ...
      (Incidents)