On May 15, 2009, Rodney McKee wrote:

> Hello, 

Hi Rodney -

> I'm seeing lots of activity from a single host sending udp requests that are 
> being picked up by psad. 
> Any advise on what this might be or what additional info I should be looking 
> at, not much info in tcpdump. The following sample is from or argus 
> collector. 
> Note the regular attempts to port 41454, and obviously the names have been 
> changed to protect the innocent :-). 

Is there any application listening on port 41454 on the targeted system?
I don't know of a specific exploit associated with that port, but there
certainly could be one.  I would dump the application layer to look
for clues, and it would probably be useful also to send the packets
through Snort with a complete signature set deployed.

There is an interesting spike in the number of sources that are scanning
for this port according to DShield:

http://www.dshield.org/port.html?port=41454

-- 
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint: E2EF 0C8A 5AA9 654C 4763  B50F 37AC E946 7F51 8271


> 06/05/2009-11:07:20.580294 e udp aa.aa.aa.aaa.36582 -> bbb.bbb.bbb.bbb.41454 
> 18 2405 INT 
> 06/05/2009-11:08:07.589522 M udp aa.aa.aa.aaa.37365 -> bbb.bbb.bbb.bbb.55657 
> 1 120 INT 
> 06/05/2009-11:08:07.590108 M udp aa.aa.aa.aaa.37366 -> bbb.bbb.bbb.bbb.52693 
> 1 116 INT 
> 06/05/2009-11:08:07.594268 M udp aa.aa.aa.aaa.37367 -> bbb.bbb.bbb.bbb.24921 
> 1 131 INT 
> 06/05/2009-11:08:07.595323 M udp aa.aa.aa.aaa.37368 -> bbb.bbb.bbb.bbb.43831 
> 1 127 INT 
> 06/05/2009-11:08:17.595980 e udp aa.aa.aa.aaa.37558 -> bbb.bbb.bbb.bbb.3952 1 
> 131 INT 
> 06/05/2009-11:08:17.596394 e udp aa.aa.aa.aaa.37559 -> bbb.bbb.bbb.bbb.13607 
> 1 127 INT 
> 06/05/2009-11:08:27.594601 e udp aa.aa.aa.aaa.36582 -> bbb.bbb.bbb.bbb.41454 
> 2 236 INT 
> 06/05/2009-11:27:09.643194 M udp aa.aa.aa.aaa.63948 -> bbb.bbb.bbb.bbb.19566 
> 1 158 INT 
> 06/05/2009-11:27:19.643621 e udp aa.aa.aa.aaa.64178 -> bbb.bbb.bbb.bbb.47478 
> 1 158 INT 
> 06/05/2009-11:27:29.648252 e udp aa.aa.aa.aaa.64493 -> bbb.bbb.bbb.bbb.18898 
> 1 158 INT 
> 06/05/2009-11:27:29.648808 e udp aa.aa.aa.aaa.64494 -> bbb.bbb.bbb.bbb.15665 
> 1 131 INT 
> 06/05/2009-11:27:29.649793 e udp aa.aa.aa.aaa.64495 -> bbb.bbb.bbb.bbb.34556 
> 1 127 INT 
> 06/05/2009-11:27:39.651859 e udp aa.aa.aa.aaa.64871 -> bbb.bbb.bbb.bbb.59509 
> 1 127 INT 
> 06/05/2009-11:27:39.652179 e udp aa.aa.aa.aaa.64872 -> bbb.bbb.bbb.bbb.25807 
> 1 131 INT 
> 06/05/2009-11:27:49.651497 M udp aa.aa.aa.aaa.65265 -> bbb.bbb.bbb.bbb.38349 
> 1 127 INT 
> 06/05/2009-11:27:49.652212 M udp aa.aa.aa.aaa.65266 -> bbb.bbb.bbb.bbb.7754 1 
> 131 INT 
> 06/05/2009-11:27:49.656424 M udp aa.aa.aa.aaa.65267 -> bbb.bbb.bbb.bbb.24065 
> 1 131 INT 
> 06/05/2009-11:27:49.657388 M udp aa.aa.aa.aaa.65268 -> bbb.bbb.bbb.bbb.51826 
> 1 127 INT 
> 06/05/2009-11:27:08.641187 e udp aa.aa.aa.aaa.63926 -> bbb.bbb.bbb.bbb.41454 
> 13 1764 INT 
> 06/05/2009-11:28:00.662806 e udp aa.aa.aa.aaa.1209 -> bbb.bbb.bbb.bbb.1455 1 
> 131 INT 
> 06/05/2009-11:28:00.663724 e udp aa.aa.aa.aaa.1210 -> bbb.bbb.bbb.bbb.6485 1 
> 127 INT 
> 06/05/2009-11:28:11.663795 e udp aa.aa.aa.aaa.1514 -> bbb.bbb.bbb.bbb.56158 1 
> 131 INT 
> 06/05/2009-11:28:11.664260 e udp aa.aa.aa.aaa.1515 -> bbb.bbb.bbb.bbb.47741 1 
> 127 INT 
> 06/05/2009-11:28:13.674741 M udp aa.aa.aa.aaa.63926 -> bbb.bbb.bbb.bbb.41454 
> 2 258 INT 
> 06/05/2009-11:49:49.291312 e udp aa.aa.aa.aaa.35649 -> bbb.bbb.bbb.bbb.41020 
> 1 158 INT 
> 06/05/2009-11:50:00.290821 e udp aa.aa.aa.aaa.35892 -> bbb.bbb.bbb.bbb.34949 
> 1 158 INT 
> 06/05/2009-11:50:11.295891 e udp aa.aa.aa.aaa.36202 -> bbb.bbb.bbb.bbb.11467 
> 1 158 INT 
> 06/05/2009-11:50:11.296729 e udp aa.aa.aa.aaa.36203 -> bbb.bbb.bbb.bbb.55825 
> 1 131 INT 
> 06/05/2009-11:50:11.296987 e udp aa.aa.aa.aaa.36204 -> bbb.bbb.bbb.bbb.46766 
> 1 127 INT 
> 06/05/2009-11:50:23.298549 M udp aa.aa.aa.aaa.36605 -> bbb.bbb.bbb.bbb.46693 
> 1 127 INT 
> 06/05/2009-11:50:23.299268 M udp aa.aa.aa.aaa.36606 -> bbb.bbb.bbb.bbb.11623 
> 1 131 INT 
> 06/05/2009-11:49:48.287973 e udp aa.aa.aa.aaa.35619 -> bbb.bbb.bbb.bbb.41454 
> 13 1764 INT 
> 06/05/2009-11:50:35.301177 e udp aa.aa.aa.aaa.36996 -> bbb.bbb.bbb.bbb.32041 
> 1 131 INT 
> 06/05/2009-11:50:35.302092 e udp aa.aa.aa.aaa.36997 -> bbb.bbb.bbb.bbb.15308 
> 1 127 INT 
> 06/05/2009-11:50:35.306255 e udp aa.aa.aa.aaa.36998 -> bbb.bbb.bbb.bbb.22965 
> 1 131 INT 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Thanks in advance 
> Rodney 
> 

> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables 
> unlimited royalty-free distribution of the report engine 
> for externally facing server and web deployment. 
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to