Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: UDP flood 28001-28003

UDP flood 28001-28003

From: George <greerga_at_ENTROPY.MUC.MUOHIO.EDU>
Date: Wed, 8 Mar 2000 02:27:48 -0500

I don't remember anything close to this lately, nor do I see it in the past
two months on a cursory check, so:

Anyone know what it could've been?

Sample lines:

Packet log: input ACCEPT eth0 PROTO=17 128.61.56.54:28001
xxx.yyy.zzz.aaa:2578 L=439 S=0x00 I=34503 F=0x0000 T=115 (#22)

Packet log: input ACCEPT eth0 PROTO=17 204.196.178.73:28001
xxx.yyy.zzz.aaa:2583 L=244 S=0x00 I=14741 F=0x0000 T=116 (#22)

Packet log: input ACCEPT eth0 PROTO=17 158.155.0.12:28001
xxx.yyy.zzz.aaa:2581 L=854 S=0x00 I=57622 F=0x0000 T=117 (#22)

>From Mar 7 21:29:24 to Mar 8 01:19:33, I was flooded on ports 28001, 28002,
28003 with UDP traffic. The network addresses/ports were (uniq -c):

     19 12.17.213.142:28001
     19 12.17.213.142:28002
     19 128.61.56.54:28001
     19 129.118.17.85:28001
     19 150.252.14.155:28001
     19 158.155.0.12:28001
     19 195.243.64.148:28001
     19 199.4.33.201:28001
     19 204.196.178.73:28001
     19 207.152.153.10:28001
     19 207.218.73.240:28001
     19 207.250.241.242:28001
     19 207.250.241.242:28002
     19 207.250.241.242:28003
     19 208.236.64.50:28001
     19 209.242.64.134:28001
     19 212.122.128.205:28001
     11 24.131.25.82:28001
     12 24.4.195.123:28001
     12 24.4.82.52:28001
     19 4.33.171.132:28001
     17 4.33.171.135:28001
     19 63.162.143.5:28001
     19 63.162.143.6:28001
     19 63.162.143.6:28002
     19 63.224.4.144:28001

Hosts resolve to:

12.17.213.142: lm213142.svvi.net
128.61.56.54: r56h54.res.gatech.edu
129.118.17.85: blast.me.ttu.edu
150.252.14.155: Host not found.
158.155.0.12: ra.compgen.com
195.243.64.148: Host not found.
199.4.33.201: mr2-201.mrtc.org
204.196.178.73: Host not found, try again.
207.152.153.10: Host not found.
207.218.73.240: cod.dgweb.com
207.250.241.242: pc242.cp.inc.net
208.236.64.50: Host not found.
209.242.64.134: death.fraggershall.com
212.122.128.205: inferno.gamesurf.de
24.131.25.82: nic-c25-082.mw.mediaone.net
24.4.195.123: cx187565-b.mnchs1.ct.home.com
24.4.82.52: cx987407-a.ocnsd1.sdca.home.com
4.33.171.132: evrtwa1-ar3-171-132.dsl.gtei.net
4.33.171.135: evrtwa1-ar3-171-135.dsl.gtei.net
63.162.143.5: Host not found.
63.162.143.6: Host not found.
63.224.4.144: 63-224-4-144.customers.uswest.net

The three I checked out were all Windows 95/98/NT. Two were pegged by
queso guessing on a closed port and the third was running IIS/4.0.

-George Greer
Received on Mar 08 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos