UDP Port 2140 Probes

H D Moore Sat, 16 Oct 1999 22:19:10 -0700
Has anyone else seen anything like this?  They has been happening for
well over two weeks and I was wondering if it was a targeted attack or a
general scan.  All packets have originated from the same city's dialup
pool with the same src/dst ports and the same 5 minute span that the
scan takes (20:24 -> 20:29, 17:27 -> 17-32), with the last trace showing
two distinct 5-minute scans from 11:45 -> 11:50 and 11:56 -> 13:01.

What service could this person be looking for?
What tool uses source port 60000 and 5-minute timings?
If this is a plain UDP service scan, why is there 2 bytes of data in the
packet? (vs NULL)



10-14-99

20:24:36.271610 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
20:25:19.174056 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
20:26:43.613437 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
20:29:48.675551 1Cust191.tnt3.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2


10-15-99


17:27:50.478372 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
17:28:28.002028 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
17:29:43.177907 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
17:32:34.344329 1Cust50.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2


10-16-99

11:45:33.947604 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
11:46:17.672068 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
11:47:34.026818 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
11:50:29.919071 1Cust115.tnt2.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2

[ second scan starts 66 minutes later ]

12:56:42.495112 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
12:57:21.729927 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
12:58:43.957727 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2
13:01:44.791308 1Cust24.tnt1.fort-collins.co.da.uu.net.60000 >
A.B.C.D.2140: udp 2


-HD Moore-

http://nlog.ings.com            (Like Nmap?  Try Nlog!)
http://www.secureaustin.com     (Its Coming...)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
UDP Port 2140 Probes

Reply via email to
