RE: Port Scan(?)

From: leon (leon@inyc.com)
Date: 03/26/02 

From: "leon" <leon@inyc.com>
To: "'Adrian Horton'" <adhort02@yahoo.com>, <security-basics@securityfocus.com>
Date: Tue, 26 Mar 2002 15:57:56 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It would be best if you could actually get a dump of the packets with
something like tcp or win dump. 255.255.255.255 is obviously a
broadcast address. I would guess it is some kind program or service
running that is broadcasting. What programs are running the machine
when it does this? What software is loaded on it?

Regards,

Leon

- -----Original Message-----
From: Adrian Horton [mailto:adhort02@yahoo.com]
Sent: Wednesday, March 20, 2002 2:42 PM
To: security-basics@securityfocus.com
Subject: Port Scan(?)

The incidents@securityfocus.com owner rejected this
post so can anyone here make sense of this?

On my 10.1.2.0/24 network, I discovered (with
Ethereal) that one of my hosts (10.1.2.112) was
broadcasting UDP packets to 255.255.255.255 to port
62516.
The *source port* though was incrementing by one after
every packet. That host machine is running Windows
2000.

Anyone know what kind of activity this is? It seems
the opposite of a port scan and it is inside my
private network. I know which machine it is, I just
can't figure out what it was doing so I disconnected
it from the network until I figure it out.

Thanks,

AH

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPKDgsNqAgf0xoaEuEQKOZwCggZI2BgtBfozxI7Xo2LHStP7WUz8AoO6m
TA4SVHkzwSQkp61zlIW7x0a2
=9elQ
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: [opensuse] SuseFirewall IPv4 vs IPv6
    ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    (SuSE)
  • Re: Linux als Router
    ... # Enter all trusted network interfaces here. ... # which should be available to the internet and set FW_ROUTE to yes. ... space separated list of ports, ... # Packets to silently reject without log message. ...
    (de.comp.os.unix.linux.misc)
  • Re: Error 720 connecting to server via VPN
    ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.windows.server.sbs)
  • RE: Mapping Class A network ( any easy trick?)
    ... and wondering how I can map the network ... packets per second rate to ask for. ... This will read the payloads.conf file which may have multiple payloads ... per port. ...
    (Pen-Test)
  • Re: Update: UDP 770 Potential Worm
    ... > I still believe that the packets may be the result ... with the goal of knocking machines ... the network immediately after the 'attack', ... destined to port if you haven't sniffed it somehow? ...
    (Incidents)