[mail_lists] [Dshield] Probes to 27960

Jim jconner at enterit.com
Mon Mar 17 03:02:21 GMT 2003


On Sunday 16 March 2003 11:31, you wrote:

I believe that is the unreal game port.  Recently there was a vulnerability 
found in the server code which I am not too sure how the vulnerability worked 
and what was given up if compromised.  I believe that the vulnerability is 
nothing more than the ability for game play to be compromised but I could be 
wrong.

Anyone else?  I know for a fact that this is a game port and it is either 
RTCW, Quake3, or Unreal [tournament].


Whats interesting about this log is that it seems one of two things is 
happening.  Your router has a DMZ host on .5 or somehow the packets are 
getting routed to your .5 machine.  Lets hope its the first.

- Jim


| Hi list,
|
|
|
| Recently I've been seeing some odd probes to UDP 27960, and I was
| wondering if anyone else had seen any or if anyone could comment.
| Here's a sample from my logs:
|
|
|
| Date                 Time                                         Remote
| IP                     Resolved FQDN                         RPort
| Local IP            LPort
|
|
|
| 2003/03/15        04:07:48.18       I                       67.34.53.45
| adsl-34-53-45.mia.bellsouth.net   58571   192.168.0.5            27960
|
| 2003/03/15        04:23:04.94       I                       67.34.53.45
| adsl-34-53-45.mia.bellsouth.net   51439   192.168.0.5            27960
|
| 2003/03/15        04:29:26.31       I                       67.34.53.45
| adsl-34-53-45.mia.bellsouth.net   60718   192.168.0.5            27960
|
| 2003/03/15        09:51:28.98       I                       67.34.53.45
| adsl-34-53-45.mia.bellsouth.net   52132   192.168.0.5            27960
|
| 2003/03/15        13:38:49.04       I                       67.34.53.45
| adsl-34-53-45.mia.bellsouth.net   63904   192.168.0.5            27960
|
| 2003/03/15        16:57:09.93       I
| 213.118.212.116            d576d474.kabel.telenet.be          5985
| 192.168.0.5            27960
|
| 2003/03/15        17:12:55.58       I
| 12.250.95.248                12-250-95-248.client.attbi.com    52657
| 192.168.0.5            27960
|
| 2003/03/15        17:21:23.21       I
| 64.229.208.35
| 50231   192.168.0.5            27960
|
| 2003/03/15        17:44:24.93       I
| 64.229.208.35
| 54818   192.168.0.5            27960
|
| 2003/03/15        18:44:07.20       I
| 68.158.221.12
| 59520   192.168.0.5            27960
|
| 2003/03/15        18:58:38.20       I
| 68.158.221.12
| 54491   192.168.0.5            27960
|
| 2003/03/15        19:24:45.84       I
| 68.158.221.12
| 59278   192.168.0.5            27960
|
| 2003/03/15        20:29:00.39       I
| 68.158.221.12
| 49921   192.168.0.5            27960
|
|
|
| UDP 27960 is commonly associated with Quake3 Arena Servers, but I don't
| play any of the Quake games, nor does anyone on my network.
| Additionally, with the typical Q3A traffic, the source port ranges tend
| to stay within the 279xx range.  This traffic, on the other hand, is
| typically originating around the 50,000-60,000 range (note the one
| exception which is at 5985).
|
|
|
| My initial suspicion is that these may be Q3A clients attempting to
| connect up with a server (I recently obtained this particular static IP
| address from my local ISP), but I was wondering if anyone else has seen
| this sort of traffic before I write this off.
|
|
|
|
|
| Charles Hamby
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
| http://www.dshield.org/mailman/listinfo/list

-- 

- Jim



More information about the list mailing list