[Dshield] UDP Port 58939

Brance Amussen :)_S brance at jhu.edu
Fri Jan 7 17:49:49 GMT 2005


 
Hi All, 

Anyone have any info on UDP port 58939 and any possible apps using it?? 

I have a machine which is connecting to what seem to be random IP's on this
port. They return an answer and the connection is then dropped. The machine
then connects to another IP on this port, again gets an answer and moves on.

Seems a lot like a drone checking in and waiting for instruction.. I have
connected from another machine using netcat to a couple of the machines the
offending machine has connected to, and have found the ports open. However,
no commands I enter are acknowledged. 

Below is a capture of a typical conversation.. 


Internet Protocol, Src Addr: 10.0.5.25 (10.0.5.25), Dst Addr: 132.205.25.17
(132.205.25.17)
User Datagram Protocol, Src Port: 58939 (58939), Dst Port: 8781 (8781)
    Source port: 58939 (58939)
    Destination port: 8781 (8781)
    Length: 66
    Checksum: 0x847c (correct)
Data (58 bytes)

0000  00 50 54 ff 93 cd 00 04 23 98 b8 1e 08 00 45 00   .PT.....#.....E.
0010  00 56 f8 b0 00 00 80 11 94 ef 0a 00 05 19 84 cd   .V..............
0020  19 11 e6 3b 22 4d 00 42 84 7c 3f 5c 02 0b 6f 7a   ...;"M.B.|?\..oz
0030  12 81 9f 45 a9 5d 4d 3f 43 86 6c 41 d4 bb c9 31   ...E.]M?C.lA...1
0040  cb 8f 29 01 55 3c 81 6c ba 1c 30 ec df 0f dd 42   ..).U<.l..0....B
0050  b2 d9 0e 55 8b be 0a a0 61 ee ee 8a 69 dc 3f d6   ...U....a...i.?.
0060  df 68 7a bb                                       .hz.


Internet Protocol, Src Addr: 132.205.25.17 (132.205.25.17), Dst Addr:
10.0.5.25 (10.0.5.25)
User Datagram Protocol, Src Port: 8781 (8781), Dst Port: 58939 (58939)
    Source port: 8781 (8781)
    Destination port: 58939 (58939)
    Length: 36
    Checksum: 0x0fd7 (correct)
Data (28 bytes)

0000  00 04 23 98 b8 1e 00 50 54 ff 93 cd 08 00 45 00   ..#....PT.....E.
0010  00 38 79 f4 00 00 6e 11 25 ca 84 cd 19 11 0a 00   .8y...n.%.......
0020  05 19 22 4d e6 3b 00 24 0f d7 4c fa 02 08 7f 30   .."M.;.$..L....0
0030  1a 5a d5 ec d5 57 4b 55 5f 9e 9e c7 23 13 01 86   .Z...WKU_...#...
0040  28 06 59 34 b6 ee                                 (.Y4..


All of the initial communication starts with ".PT.....#.....E." 
And the return always starts with "..#....PT.....E." 
This goes for all packets captured.. 
The rest of the data in the communication varies, but I have only seen a
couple of packets in which the data exceeds 125 bytes in fact that seems to
be the norm, but a number are smaller at 21 bytes, maybe a simpler
acknowledgment, Like "yes you are already in my hosts list".. ? 

Any help is appreciated! 

Thx

Brance :)_S

____________________________________________

Brance Amussen 
Network/Systems Admin
Zanvyl Krieger Mind/Brain Institute
Johns Hopkins University
410.516.6167
brance{AT}jhu.edu 
____________________________________________




More information about the list mailing list