udp and dst port 1026
From: Jens Hektor (hektor_at_rz.rwth-aachen.de)
Date: 12/02/03
- Previous message: Dejan Markovic: "Same sequence..."
- Next in thread: Bill McCarty: "Re: udp and dst port 1026"
- Reply: Bill McCarty: "Re: udp and dst port 1026"
- Maybe reply: Bill McCarty: "Re: udp and dst port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 02 Dec 2003 00:20:38 +0100 To: incidents@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
[original posting]
starting around Nov 22 and increasing from Nov 24
until today I see packets floating around from
various sources to almost any IP of our networks.
Payload are two bytes with value zero.
Any idea what this could be?
[as the moderator requested more info, here it comes]
Actually the whole thing started at November 19th
and it has an exponential increase in the logs of our
Cisco-ACL'd networks (about the equivilance of 40-60
Class-C's).
A short packet dump reveales a netbios query for
the netbios name of the machine followed by a
"miniportscan" towards ports 1026-1031:
~ 0.000000 92 A.248.165.142 1041 B.226.246.145 137 NBNS Name query NBSTAT
~ <00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
~ 0.000375 60 A.248.165.142 1042 B.226.246.145 1026 UDP Source port: 1042 Destination port: 1026
~ 0.001249 60 A.248.165.142 1043 B.226.246.145 1027 UDP Source port: 1043 Destination port: 1027
~ 0.001250 60 A.248.165.142 1044 B.226.246.145 1028 UDP Source port: 1044 Destination port: 1028
~ 0.001373 60 A.248.165.142 1045 B.226.246.145 1029 UDP Source port: 1045 Destination port: 1029
~ 0.001750 60 A.248.165.142 1046 B.226.246.145 1030 UDP Source port: 1046 Destination port: 1030
~ 0.002373 60 A.248.165.142 1047 B.226.246.145 1031 UDP Source port: 1047 Destination port: 1031
At the moment the traffic is not very high but it's
really noticable in pour packet filter logs. We have
now there about 3000 denied accesses/h spread over
various lists.
It should be easily detectable in your packet filter logs, too.
And: if it keeps increasing with the same rate, we here
will have a real problem in some days.
Bye, Jens Hektor
P.S. It's already tracked at the DFN-CERT #44733
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBP8vMxRsVN+J7zzuXAQGD5QgAkKLb7Ssn/c/KBnMuliyVXG2h4R+iqDox
O7pzZ1+KXsVKrj+WY+PIwK7fAdX2hoWPkgU6/Md7UJI7MI2ue0e4nBz6SADG82Sl
oyB4+VTLxo5rmSrhjSFI30ujDz4Py6SuQuZQuyAT/czNEKDG6PG4n6FZS7j0Axm8
Zkcm6h4WOy/+h/SOr7nPdxs6GLu4Z+eJv7RGXUpQ7xZ/KUWsuQ2/HKDxaY9Xk07r
0JZS9i1G7FTMoYd46q9u1qn8lOMs0TQAfvQXMWZoqIidUNnCLHFuvKpHrTYK4p8t
c4MmUC7rd8oXL0OElVBpdidk5TeyL32Aj4je8TQCnUEaWMoNEq6wPw==
=wxNi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Dejan Markovic: "Same sequence..."
- Next in thread: Bill McCarty: "Re: udp and dst port 1026"
- Reply: Bill McCarty: "Re: udp and dst port 1026"
- Maybe reply: Bill McCarty: "Re: udp and dst port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
