Security Incidents mailing list archives

Re: Another odd UDP scan - new trojan?

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 18 May 2000 13:57:18 -0700


Um. Traceroute.
http://www.robertgraham.com/pubs/firewall-seen.html#port33434

I am seeing a dramatic increase in traceroutes throughout the Internet,
often from quasi-"respectable" sites. There is either a dramatic increase in
the interest of mapping the Internet, or somebody has released a product
that does traceroutes as a background task (imagine a client utility that
traceroutes all the websites a user goes to in order to map out where they
are).

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Neil Long
Sent: Thursday, May 18, 2000 3:33 AM
To: INCIDENTS () securityfocus com
Subject: Another odd UDP scan - new trojan?

Hi

We just had a report which is unusual -

UDP ports 33448 through 33453

Scanning one of our net blocks but rolling the loop on the 3rd octet and
throttled down to one every  second or so. Src port number constant per dest
host but then changing on the next target ip.

Src IP is in an Exodus net block - 64.41.164.54

Anyone else seeing this or know what they are looking for? All attempts were
fruitless, just curious.

Cheers
Neil

Current thread:

Another odd UDP scan - new trojan? Neil Long (May 18)
- Re: Another odd UDP scan - new trojan? Pierre Vandevenne (May 18)
- Re: Another odd UDP scan - new trojan? Robert Graham (May 18)
- Re: Another odd UDP scan - new trojan? M J (May 19)