FW: [Dshield] UDP scans of 18000+ ports

Andy Streule andy.streule at lythamhigh.lancs.sch.uk
Wed Feb 4 14:09:34 GMT 2004


the trojan Backdoor.Sinit (aka Calyps.a or Calypso) has a UDP sourceport of
53 and also uses a high numbered port. IDS often reports sinit as malformed
DNS packets. 
stuff about it here: http://people.ists.dartmouth.edu/~gbakos/bindsweep/


~Andy
Lytham st annes High Technology College
http://www.lythamhigh.lancs.sch.uk

-----Original Message-----
From: Pete Cap [mailto:peteoutside at yahoo.com]
Sent: 03 February 2004 19:49
To: General DShield Discussion List
Subject: Re: [Dshield] UDP scans of 18000+ ports


Scratch that, I think Stephane is correct.

Pete Cap <peteoutside at yahoo.com> wrote:Someone is probably performing
reconnaissance against your client.
53 is associated with DNS (check out RFC 2929) but if you're seeing a sudden
spike in progressive scans on ephemeral ports--yeah, that's probably
illicit.

What he's going to try to do is infer information about your network based
on responses he gets from his scanning (e.g. host/port unreachable messages,
response to weird packets, etc.). Even a lack of response is an
indicator--that a firewall is present.

You have some data on him right now:
One, you know SOMEONE is interested. So ask yourself "who?", and "in what?",
and "why?"
Two, if they are just beginning these scans then they probably don't have
anyone helping them on the inside,
Three, if it's noisy enough to alert you, then you're probably not dealing
with an advanced attacker.


I suggest you do two things:

First, perform a little risk assessment in your head--balance the risk to
your enterprise if that machine is compromised (what data does it store?
what else on the network can it access?) versus how much protection it
already has...I'm sure you don't need to be advised to make sure you're all
patched up. No firewall is airtight--you have to stay on it.

Second, capture some of those scans and post them to the list. There are
enough "packet ninjas" listening that someone will probably be able to tell
you if the traffic is malformed (and thus crafted...sometimes you can tell
what exploit programs someone is using).

Best of luck,

Pete

traef06 RAEF wrote:
I realize all these were blocked but I'm trying to learn about what they're 
searching for. Anyone with "useful" information please reply.

I see the source port is 53 and the dest port is in the higher 18100+ range.

What are looking for?
Also drill down toward the bottom and see that this client started getting 
TCP FIN attempts to high ports.

This firewall has been operational for over a year and these just started 
yesterday.

Thank you in advance for all useful answers.


***************************************************************************
This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.
***************************************************************************

***************************************************************************
This email has been checked for known viruses. 
***************************************************************************




More information about the list mailing list