[Dshield] Port 17300

John Sage jsage at finchhaven.com
Thu Sep 25 11:18:09 GMT 2003


Deb, et al:

On Wed, Sep 24, 2003 at 04:48:32PM -0500, Deb Hale wrote:
> I have been seeing an increase in port 17300 traffic in the last few
> days. According to the ISC graph for port 17300, there has been a
> significant increase in the number of targets in the same time period.
> Any ideas what could be going on with this port.  I know that Kuang
> uses this port.  Is it possible that we have something new? 

Here's what I've seen over the last week:

Total packets to port 17300 in alert.full-Sep.17.21:32:   0
Total packets to port 17300 in alert.full-Sep.19.06:52:  31
Total packets to port 17300 in alert.full-Sep.20.07:03:  33
Total packets to port 17300 in alert.full-Sep.21.07:28:  29
Total packets to port 17300 in alert.full-Sep.22.04:43:  61
Total packets to port 17300 in alert.full-Sep.23.00:05: 241
Total packets to port 17300 in alert.full-Sep.24.04:34:  97

Total packets to port 17300 in alert.full:              306

The last represents about the last 22 hours, so it's 'way up...


I've got a packet sniffer running on TCP:17300; looking quickly at
yesterday and today's captures, I see two variations:

In the first, the payload begins 0x707b00:

input: snort.log-Sep.24.04:34
filter: ip and ( dst port 17300 )
match: 0x707b0000
################################################
T 2003/09/23 13:37:43.271568 217.34.39.144:1559 -> 12.82.131.112:17300 [AP]
  70 7b 00 00 63 3a 5c 70    6d 77 6b 2e 65 78 65 00    p{..c:\pmwk.exe.
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
/* snip */
##############
T 2003/09/23 14:37:02.654606 217.34.39.144:3852 -> 12.82.131.112:17300 [AP]
  70 7b 00 00 63 3a 5c 76    64 75 74 2e 65 78 65 00    p{..c:\vdut.exe.
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
/* snip */
####
T 2003/09/23 16:08:13.062579 66.108.81.168:2573 -> 12.82.131.112:17300 [AP]
  70 7b 00 00 63 3a 5c 72    73 6a 72 2e 65 78 65 00    p{..c:\rsjr.exe.
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
/* snip */

This variant seems to contain noting but 0x0000000000000000... as the
payload.


In the second (that I'm more familiar with) the payload begins
0x55504446 - the classic UPDF:

input: snort.log-Sep.24.04:34
filter: ip and ( dst port 17300 )
match: 0x55504446
###
T 2003/09/23 06:54:35.334385 195.136.248.214:3832 -> 12.82.131.112:17300 [AP]
  55 50 44 46 5b ef 00 00    63 3a 5c 6e 73 64 68 2e    UPDF[...c:\nsdh.
  65 78 65 00 00 00 00 00    00 00 00 00 00 00 00 00    exe.............
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
/* snip */
This variant often contains an executable:
/*snip */
#
T 2003/09/23 06:54:35.984427 195.136.248.214:3832 -> 12.82.131.112:17300 [AP]
  4d 5a 90 00 03 00 00 00    04 00 00 00 ff ff 00 00    MZ..............
  b8 00 00 00 00 00 00 00    40 00 00 00 00 00 00 00    ........ at .......
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 80 00 00 00    ................
  0e 1f ba 0e 00 b4 09 cd    21 b8 01 4c cd 21 54 68    ........!..L.!Th
  69 73 20 70 72 6f 67 72    61 6d 20 63 61 6e 6e 6f    is program canno
  74 20 62 65 20 72 75 6e    20 69 6e 20 44 4f 53 20    t be run in DOS
  6d 6f 64 65 2e 0d 0d 0a    24 00 00 00 00 00 00 00    mode....$.......
/* snip */
#########
T 2003/09/23 06:54:48.175685 207.42.74.201:3275 -> 12.82.131.112:17300 [AP]
  55 50 44 46 5b ef 00 00    63 3a 5c 74 70 70 74 2e    UPDF[...c:\tppt.
  65 78 65 00 00 00 00 00    00 00 00 00 00 00 00 00    exe.............
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
/* snip */
############
T 2003/09/23 08:44:10.905075 24.95.175.90:4605 -> 12.82.131.112:17300 [AP]
  55 50 44 46 5b ef 00 00    63 3a 5c 7a 70 70 77 2e    UPDF[...c:\zppw.
  65 78 65 00 00 00 00 00    00 00 00 00 00 00 00 00    exe.............
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
/ *snip */





- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the list mailing list