[Intrusions] UDP traffic on port 48864

Jon Hedlund JH_ML at invtools.com
Sun Jun 26 01:31:25 GMT 2005 

Andrew Daviel wrote:

>On Tue, 14 Jun 2005, James C Slora Jr wrote:
>
>  
>
>>Andrew Daviel wrote Monday, June 13, 2005 6:42 PM
>>
>>    
>>
>>> I've been seeing UDP traffic sent to a host here on port 48864; it seems
>>>      
>>>
>>to all (or mostly) targetted at one particular host, which does not seem to
>>respond (apart from maybe ICMP unreachable). It's from random places on the
>>net (including residential, like P2P), but the packets are quite small
>>(15-500 bytes) and don't seem to have any ASCII content.
>>
>>Packets would be nice.
>>    
>>
>
>17:00:07.923609 195.205.132.226.24432 > 142.x.y.z.48864:  udp 123
>17:00:07.924007 142.x.y.z.48864 > 195.205.132.226.24432:  udp 21
>17:00:09.276406 201.24.74.50.4674 > 142.x.y.z.48864: tcp 0 (DF)
>17:00:09.276557 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
>17:00:12.225555 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
>17:00:16.692418 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
>17:00:16.692571 142.x.y.z.48864 > 69.166.222.155.65351: tcp 0 (DF)
>17:00:16.808173 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
>17:00:18.362210 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
>17:00:40.624674 128.195.4.205.2087 > 142.x.y.z.48864:  udp 102
>17:00:40.625105 142.x.y.z.48864 > 128.195.4.205.2087:  udp 43
>17:00:44.110763 65.94.161.239.25409 > 142.x.y.z.48864:  udp 97
>17:00:44.111089 142.x.y.z.48864 > 65.94.161.239.25409:  udp 43
>17:00:44.541082 128.195.4.205.2087 > 142.x.y.z.48864:  udp 102
>17:00:44.541422 142.x.y.z.48864 > 128.195.4.205.2087:  udp 43
>17:00:56.322058 154.20.232.86.16800 > 142.x.y.z.48864:  udp 103
>
>User Datagram Protocol, Src Port: 24432 (24432), Dst Port: 48864 (48864)
>Data (123 bytes)
>
>0000  40 b8 02 82 8f e2 0c 77 b9 71 df 3a 5b 45 f5 23   @......w.q.:[E.#
>0010  e0 f8 6a 3b 7e 46 68 95 08 52 94 fc f5 42 5b 67   ..j;~Fh..R...B[g
>0020  ae ca 1a 7f d9 c6 50 1f ab f1 4c 23 0e 01 67 03   ......P...L#..g.
>0030  63 b1 51 50 fc 08 76 d8 3e 6d 35 22 13 3f 54 3e   c.QP..v.>m5".?T>
>0040  56 23 ef 06 e0 a2 a3 68 49 e5 47 d9 7f 77 90 dd   V#.....hI.G..w..
>0050  66 a6 ca 6e 40 86 e5 0b 8e 4c 11 58 fa 70 4f 93   f..n at ....L.X.pO.
>0060  49 7f 5d 73 d9 18 61 8c 3a ee ed 5d 4f c0 79 0e   I.]s..a.:..]O.y.
>0070  9c ec b4 f1 0c df 94 8f 22 e7 78                  ........".x
>
>User Datagram Protocol, Src Port: 48864 (48864), Dst Port: 24432 (24432)
>Data (21 bytes)
>
>0000  00 16 02 c6 7e ea 95 50 77 c1 5f 42 8f e9 b6 ea   ....~..Pw._B....
>0010  9a 52 e4 fd 02                                    .R...
>
>User Datagram Protocol, Src Port: 2087 (2087), Dst Port: 48864 (48864)
>Data (102 bytes)
>
>0000  9d 8a 02 98 21 b8 a6 00 59 d3 8d 9a a5 8b 95 c5   ....!...Y.......
>0010  09 54 c9 79 2c 7e ea f0 13 7f 2c 89 71 80 74 fd   .T.y,~....,.q.t.
>0020  3d d4 67 aa 93 08 30 b9 a8 a3 87 da 16 73 9d 34   =.g...0......s.4
>0030  01 05 c6 9a 73 76 99 c5 71 d7 c3 f1 d6 96 7f 7e   ....sv..q......~
>0040  48 a0 ba de f9 c4 22 65 f8 be 32 63 31 9f 97 df   H....."e..2c1...
>0050  d9 25 24 df 30 fa 67 e0 ad 54 9a 49 b9 4b af 53   .%$.0.g..T.I.K.S
>0060  1d 35 ee 5c 2a 24                                 .5.\*$
>
>etc.
>
>There are also occasional tcp packets - remote sends SYN, local sends
>SYN, ACK, remote either doesn't respond or sends RST. No data.
>
>I don't see that our local machine is a worthy recipient of a DDoS attack
>- it's basically a Windows desktop
>
>
>  
>
It's appears to be responding to both the TCP and UDP packets which 
means there's a program listening on that port, both TCP and UDP. You 
can use the freeware TCPView at 
http://www.sysinternals.com/Utilities/TcpView.html to identify what app 
is listening on that port.

Jon

More information about the Intrusions mailing list