|
Security Incidents
mailing list archives
UDP Probes (?) from port 28432 to 28431 ?
From: moeller () CERT DFN DE (Klaus Moeller)
Date: Tue, 7 Mar 2000 17:17:36 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Xander Jansen writes:
Has anyone seen UDP subnet-sweeps to port 28431 ? We've received a few
reports the last months about rather persistent and recurring subnet-scans
targetted at this specific port. All the probes are short UDP packets with
source port 28432 and destination port 28431. Typical pattern is also that
within a few seconds a complete subnet (/24 for example) is probed on this
port (and this port only). (I'm sorry to say that we don't have any info
on the contents of these packets yet).
I was wondering if anyone knows about either a valid or malicious
application using these ports (I couldn't find any reference in the usual
portlists) ?
The pattern reminds me of the HACK'A'TACK scans (UDP 33790 -> 33789)
Perhaps somebody has changed the configs ?
We haven't seen scans like that so far.
Klaus Moeller
- --
Klaus Moeller | mailto:moeller () cert dfn de
DFN-CERT GmbH |
Vogt-Koelln-Str. 30 | Phone: +49(40)42883-2262
D-22527 Hamburg | FAX: +49(40)42883-2241
Germany | PGP-Key: finger moeller () ftp cert dfn de
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQEVAwUBOMUrgYrEggYLt8j5AQFB9gf9EYi8XTEcoSwRZotyOrfEdxixglYfwiN6
t44AxYyx4BadCMP0wrAaysJY54ZlTx2E0jCXn6ky9HeNUX1TqjwbyjAsSMHQXBIk
DBkngamSPFBf/zpE5ihcZ/A2DjeEwWZdpveqMLdHvh0rXqmLxxZSCLMMIUUDU1lW
g7wT5UJbFwojliy7oxF3hlm+SBvlUN3+0rtSHssSWjRZ22bhgllQdgLFczIC1Bum
s5BGg1+uxiC5uqL69FPN6lPob/TnhdS1pSX19oIV8itD61vXOdXr6IkCJDzqlRW5
cToKzrDYQts44hbn2D9i7dUJ1oTToFxixaUFHfbPhZ1ksv5L7+qwEA==
=onH9
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
| 
Intro
