Incidents
udp port 17304 Dec 15 2006 11:05PM
auto263187 hushmail com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anybody else seeing traffic to this port? I've had 10k nodes so
far today get blocked at my firewall trying to access this port,
i'm guessing it's a C&C net trying to do something but not positive
yet.

UDP payload(full packet below) is always 40 bytes but not always
the same (some bytes are constant, others change) 25 bytes into the
data in I see the source's public IP address. What's also wierd is
I'm only seeing this traffic on one destination IP address, I've
checked several other places and I don't see anything in the logs
at those locations.

Open to any thoughts/suggestions...

Packet logged by pflog is below. IP packet starts at 0030, source
has been masked with SS, dest is DD.

0000 2d 02 01 00 64 63 30 00 00 00 00 00 00 00 00 00 -...dc0.
.........
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........
.........
0020 00 00 00 00 00 00 00 05 ff ff ff ff 01 00 00 00 ........
.........
0030 45 00 00 5b 58 52 00 00 72 11 20 99 SS SS SS SS E..[XR..
r. .....
0040 DD DD DD DD 28 75 43 98 00 47 dd 10 8d ff 37 4e ....(uC.
..G....7N
0050 42 1d 3e 2e 00 00 04 04 24 04 fa f6 0f 00 00 00 B.>.....
$.......
0060 00 00 0f 04 SS SS SS SS 5c 09 e4 6d 0d 5d 00 00 ........
\..m.]..
0070 01 0f 87 0f ....
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkWDKi8ACgkQxj3tm8IsgLEEVwP+NXebwV5yz++S0vFgH9euoV4J8pKv
EgSNFEAKM4WPsniLh6s1M7n52jjtWtk3Qmxv8WvNcdpg0jOnAyQeoggkPlxivzsD/xCS
JUOpgIMvOToNJbIsUTwXKaIep0/audlD3AQwE7lMkxROGBNwlX9MpFFilV6T7Uo+3xRW
AinqdpU=
=8Lb2
-----END PGP SIGNATURE-----

Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus