UDP port 1001 scan?

Wed, 16 Aug 2000 00:31:28 -0700 

Hi,

Two of the firewalls I manage has been under extensive
udp port 1001 scanning for couples of weeks. I consulted
several trojan ports lists and learned that UDP port 1001
could be used by trojan Der Spacher 3, Le Guardien, 
Silencer, WebEx or whatever-its-name-may-be. But I 
couldn't find more detailed info about these trojans 
mentioned above.

Tcpdump was used to capture the actual packet data, which
was only a few characters long:
{t}ip-address{t}

where the ip-address is neither relevant to the source nor
to the destination of the packet. The ip-address in the data
field could be "127.0.0.1", some reserved IPs (172.16.8.93
for example), or some real IPs (like 163.xxx.yyy.15).

Most of the source port of those udp packets are 1001, but
some of them are from udp high ports as well. Sample of 
dumped data are shown below (with src/dst IP masked):

---------------------------------------------------------------------------
TIME:   11:52:37.225392 (0.197907)
  IP:   source1 -> target1 hlen=20 TOS=00 dgramlen=43 id=540F
        MF/DF=0/0 frag=0 TTL=58 proto=UDP cksum=75E4
 UDP:   port 1001 -> 1001 hdr=8 data=15
DATA:   {t}127.0.0.1{t}
---------------------------------------------------------------------------
TIME:   12:19:12.447010 (26:34.700847)
  IP:   source2 -> target2 hlen=20 TOS=00 dgramlen=45 id=1DC0
        MF/DF=0/0 frag=0 TTL=22 proto=UDP cksum=88DE
 UDP:   port 512 -> 1001 hdr=8 data=17
DATA:   {t}172.16.8.93{t}
---------------------------------------------------------------------------
TIME:   12:38:40.697351 (0.020109)
  IP:   source3 -> target3 hlen=20 TOS=00 dgramlen=47 id=A146
        MF/DF=0/0 frag=0 TTL=119 proto=UDP cksum=C090
 UDP:   port 34289 -> 1001 hdr=8 data=19
DATA:   {t}163.xxx.yyy.15{t}
---------------------------------------------------------------------------
TIME:   23:21:58.963366 (0.012869)
  IP:   source4 -> target4 hlen=20 TOS=00 dgramlen=47 id=7660
        MF/DF=0/0 frag=0 TTL=119 proto=UDP cksum=3661
 UDP:   port 62956 -> 1001 hdr=8 data=19
DATA:   {t}203.xxx.yyy.199{t}
---------------------------------------------------------------------------

Anyone has any ideas what this is all about? Thanks.

Chih-hung Feng
network security manager
Digital United, Inc. 
[EMAIL PROTECTED]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to