Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: UDP flood 28001-28003

Re: UDP flood 28001-28003

From: Andrew Badr <peanutbadr_at_HOTMAIL.COM>
Date: Wed, 8 Mar 2000 21:12:00 PST

These ports are used by servers for the very popular online game "Starsiege:
Tribes". They may have some other use, but not that I know of.

>From: George <greerga_at_ENTROPY.MUC.MUOHIO.EDU>
>Reply-To: George <greerga_at_ENTROPY.MUC.MUOHIO.EDU>
>To: INCIDENTS_at_SECURITYFOCUS.COM
>Subject: UDP flood 28001-28003
>Date: Wed, 8 Mar 2000 02:27:48 -0500
>
>I don't remember anything close to this lately, nor do I see it in the past
>two months on a cursory check, so:
>
>Anyone know what it could've been?
>
>Sample lines:
>
>Packet log: input ACCEPT eth0 PROTO=17 128.61.56.54:28001
>xxx.yyy.zzz.aaa:2578 L=439 S=0x00 I=34503 F=0x0000 T=115 (#22)
>
>Packet log: input ACCEPT eth0 PROTO=17 204.196.178.73:28001
>xxx.yyy.zzz.aaa:2583 L=244 S=0x00 I=14741 F=0x0000 T=116 (#22)
>
>Packet log: input ACCEPT eth0 PROTO=17 158.155.0.12:28001
>xxx.yyy.zzz.aaa:2581 L=854 S=0x00 I=57622 F=0x0000 T=117 (#22)
>
>From Mar 7 21:29:24 to Mar 8 01:19:33, I was flooded on ports 28001, 28002,
>28003 with UDP traffic. The network addresses/ports were (uniq -c):
>
> 19 12.17.213.142:28001
> 19 12.17.213.142:28002
> 19 128.61.56.54:28001
> 19 129.118.17.85:28001
> 19 150.252.14.155:28001
> 19 158.155.0.12:28001
> 19 195.243.64.148:28001
> 19 199.4.33.201:28001
> 19 204.196.178.73:28001
> 19 207.152.153.10:28001
> 19 207.218.73.240:28001
> 19 207.250.241.242:28001
> 19 207.250.241.242:28002
> 19 207.250.241.242:28003
> 19 208.236.64.50:28001
> 19 209.242.64.134:28001
> 19 212.122.128.205:28001
> 11 24.131.25.82:28001
> 12 24.4.195.123:28001
> 12 24.4.82.52:28001
> 19 4.33.171.132:28001
> 17 4.33.171.135:28001
> 19 63.162.143.5:28001
> 19 63.162.143.6:28001
> 19 63.162.143.6:28002
> 19 63.224.4.144:28001
>
>Hosts resolve to:
>
>12.17.213.142: lm213142.svvi.net
>128.61.56.54: r56h54.res.gatech.edu
>129.118.17.85: blast.me.ttu.edu
>150.252.14.155: Host not found.
>158.155.0.12: ra.compgen.com
>195.243.64.148: Host not found.
>199.4.33.201: mr2-201.mrtc.org
>204.196.178.73: Host not found, try again.
>207.152.153.10: Host not found.
>207.218.73.240: cod.dgweb.com
>207.250.241.242: pc242.cp.inc.net
>208.236.64.50: Host not found.
>209.242.64.134: death.fraggershall.com
>212.122.128.205: inferno.gamesurf.de
>24.131.25.82: nic-c25-082.mw.mediaone.net
>24.4.195.123: cx187565-b.mnchs1.ct.home.com
>24.4.82.52: cx987407-a.ocnsd1.sdca.home.com
>4.33.171.132: evrtwa1-ar3-171-132.dsl.gtei.net
>4.33.171.135: evrtwa1-ar3-171-135.dsl.gtei.net
>63.162.143.5: Host not found.
>63.162.143.6: Host not found.
>63.224.4.144: 63-224-4-144.customers.uswest.net
>
>The three I checked out were all Windows 95/98/NT. Two were pegged by
>queso guessing on a closed port and the third was running IIS/4.0.
>
>-George Greer

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Received on Mar 08 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos