On May 15, 2009, Rodney McKee wrote: > Hello,
Hi Rodney - > I'm seeing lots of activity from a single host sending udp requests that are > being picked up by psad. > Any advise on what this might be or what additional info I should be looking > at, not much info in tcpdump. The following sample is from or argus > collector. > Note the regular attempts to port 41454, and obviously the names have been > changed to protect the innocent :-). Is there any application listening on port 41454 on the targeted system? I don't know of a specific exploit associated with that port, but there certainly could be one. I would dump the application layer to look for clues, and it would probably be useful also to send the packets through Snort with a complete signature set deployed. There is an interesting spike in the number of sources that are scanning for this port according to DShield: http://www.dshield.org/port.html?port=41454 -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 > 06/05/2009-11:07:20.580294 e udp aa.aa.aa.aaa.36582 -> bbb.bbb.bbb.bbb.41454 > 18 2405 INT > 06/05/2009-11:08:07.589522 M udp aa.aa.aa.aaa.37365 -> bbb.bbb.bbb.bbb.55657 > 1 120 INT > 06/05/2009-11:08:07.590108 M udp aa.aa.aa.aaa.37366 -> bbb.bbb.bbb.bbb.52693 > 1 116 INT > 06/05/2009-11:08:07.594268 M udp aa.aa.aa.aaa.37367 -> bbb.bbb.bbb.bbb.24921 > 1 131 INT > 06/05/2009-11:08:07.595323 M udp aa.aa.aa.aaa.37368 -> bbb.bbb.bbb.bbb.43831 > 1 127 INT > 06/05/2009-11:08:17.595980 e udp aa.aa.aa.aaa.37558 -> bbb.bbb.bbb.bbb.3952 1 > 131 INT > 06/05/2009-11:08:17.596394 e udp aa.aa.aa.aaa.37559 -> bbb.bbb.bbb.bbb.13607 > 1 127 INT > 06/05/2009-11:08:27.594601 e udp aa.aa.aa.aaa.36582 -> bbb.bbb.bbb.bbb.41454 > 2 236 INT > 06/05/2009-11:27:09.643194 M udp aa.aa.aa.aaa.63948 -> bbb.bbb.bbb.bbb.19566 > 1 158 INT > 06/05/2009-11:27:19.643621 e udp aa.aa.aa.aaa.64178 -> bbb.bbb.bbb.bbb.47478 > 1 158 INT > 06/05/2009-11:27:29.648252 e udp aa.aa.aa.aaa.64493 -> bbb.bbb.bbb.bbb.18898 > 1 158 INT > 06/05/2009-11:27:29.648808 e udp aa.aa.aa.aaa.64494 -> bbb.bbb.bbb.bbb.15665 > 1 131 INT > 06/05/2009-11:27:29.649793 e udp aa.aa.aa.aaa.64495 -> bbb.bbb.bbb.bbb.34556 > 1 127 INT > 06/05/2009-11:27:39.651859 e udp aa.aa.aa.aaa.64871 -> bbb.bbb.bbb.bbb.59509 > 1 127 INT > 06/05/2009-11:27:39.652179 e udp aa.aa.aa.aaa.64872 -> bbb.bbb.bbb.bbb.25807 > 1 131 INT > 06/05/2009-11:27:49.651497 M udp aa.aa.aa.aaa.65265 -> bbb.bbb.bbb.bbb.38349 > 1 127 INT > 06/05/2009-11:27:49.652212 M udp aa.aa.aa.aaa.65266 -> bbb.bbb.bbb.bbb.7754 1 > 131 INT > 06/05/2009-11:27:49.656424 M udp aa.aa.aa.aaa.65267 -> bbb.bbb.bbb.bbb.24065 > 1 131 INT > 06/05/2009-11:27:49.657388 M udp aa.aa.aa.aaa.65268 -> bbb.bbb.bbb.bbb.51826 > 1 127 INT > 06/05/2009-11:27:08.641187 e udp aa.aa.aa.aaa.63926 -> bbb.bbb.bbb.bbb.41454 > 13 1764 INT > 06/05/2009-11:28:00.662806 e udp aa.aa.aa.aaa.1209 -> bbb.bbb.bbb.bbb.1455 1 > 131 INT > 06/05/2009-11:28:00.663724 e udp aa.aa.aa.aaa.1210 -> bbb.bbb.bbb.bbb.6485 1 > 127 INT > 06/05/2009-11:28:11.663795 e udp aa.aa.aa.aaa.1514 -> bbb.bbb.bbb.bbb.56158 1 > 131 INT > 06/05/2009-11:28:11.664260 e udp aa.aa.aa.aaa.1515 -> bbb.bbb.bbb.bbb.47741 1 > 127 INT > 06/05/2009-11:28:13.674741 M udp aa.aa.aa.aaa.63926 -> bbb.bbb.bbb.bbb.41454 > 2 258 INT > 06/05/2009-11:49:49.291312 e udp aa.aa.aa.aaa.35649 -> bbb.bbb.bbb.bbb.41020 > 1 158 INT > 06/05/2009-11:50:00.290821 e udp aa.aa.aa.aaa.35892 -> bbb.bbb.bbb.bbb.34949 > 1 158 INT > 06/05/2009-11:50:11.295891 e udp aa.aa.aa.aaa.36202 -> bbb.bbb.bbb.bbb.11467 > 1 158 INT > 06/05/2009-11:50:11.296729 e udp aa.aa.aa.aaa.36203 -> bbb.bbb.bbb.bbb.55825 > 1 131 INT > 06/05/2009-11:50:11.296987 e udp aa.aa.aa.aaa.36204 -> bbb.bbb.bbb.bbb.46766 > 1 127 INT > 06/05/2009-11:50:23.298549 M udp aa.aa.aa.aaa.36605 -> bbb.bbb.bbb.bbb.46693 > 1 127 INT > 06/05/2009-11:50:23.299268 M udp aa.aa.aa.aaa.36606 -> bbb.bbb.bbb.bbb.11623 > 1 131 INT > 06/05/2009-11:49:48.287973 e udp aa.aa.aa.aaa.35619 -> bbb.bbb.bbb.bbb.41454 > 13 1764 INT > 06/05/2009-11:50:35.301177 e udp aa.aa.aa.aaa.36996 -> bbb.bbb.bbb.bbb.32041 > 1 131 INT > 06/05/2009-11:50:35.302092 e udp aa.aa.aa.aaa.36997 -> bbb.bbb.bbb.bbb.15308 > 1 127 INT > 06/05/2009-11:50:35.306255 e udp aa.aa.aa.aaa.36998 -> bbb.bbb.bbb.bbb.22965 > 1 131 INT > > > > > > > > > > > > > > Thanks in advance > Rodney > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
