[Dshield] UDP Port 58939

Brance Amussen :)_S brance at jhu.edu
Mon Jan 10 16:18:30 GMT 2005


Right, so that would explain the beginning but what explains the rest?? 
Guess I should've had a V8....!ds Coarse the first line is the src-dst mac..

Still, what is the rest.. Have a dump file if anyone is interested.. 
Thx

Brance :)_S 
 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Joel Esler
Sent: Friday, January 07, 2005 2:59 PM
To: General DShield Discussion List
Subject: Re: [Dshield] UDP Port 58939

Brance, the reason all your packet dumps start and end with the same thing
is because the section of dump you are talking about

"0000  00 50 54 ff 93 cd 00 04 23 98 b8 1e 08 00 45 00   
.PT.....#.....E."

Is your source and destination mac addresses and the last two bytes (4500),
means IP layer 4, ip header length 20 (the 5)..  which is in almost every
packet in your network I guarantee..  :)

Joel Esler, GCIA

On Jan 7, 2005, at 12:49, Brance Amussen :))_S wrote:

>
> Hi All,
>
> Anyone have any info on UDP port 58939 and any possible apps using it??
>
> I have a machine which is connecting to what seem to be random IP's on 
> this port. They return an answer and the connection is then dropped. 
> The machine then connects to another IP on this port, again gets an 
> answer and moves on.
>
> Seems a lot like a drone checking in and waiting for instruction.. I 
> have connected from another machine using netcat to a couple of the 
> machines the offending machine has connected to, and have found the 
> ports open.
> However,
> no commands I enter are acknowledged.
>
> Below is a capture of a typical conversation..
>
>
> Internet Protocol, Src Addr: 10.0.5.25 (10.0.5.25), Dst Addr: 
> 132.205.25.17
> (132.205.25.17)
> User Datagram Protocol, Src Port: 58939 (58939), Dst Port: 8781 (8781)
>     Source port: 58939 (58939)
>     Destination port: 8781 (8781)
>     Length: 66
>     Checksum: 0x847c (correct)
> Data (58 bytes)
>
> 0000  00 50 54 ff 93 cd 00 04 23 98 b8 1e 08 00 45 00   
> .PT.....#.....E.
> 0010  00 56 f8 b0 00 00 80 11 94 ef 0a 00 05 19 84 cd   
> .V..............
> 0020  19 11 e6 3b 22 4d 00 42 84 7c 3f 5c 02 0b 6f 7a   
> ...;"M.B.|?\..oz
> 0030  12 81 9f 45 a9 5d 4d 3f 43 86 6c 41 d4 bb c9 31   
> ...E.]M?C.lA...1
> 0040  cb 8f 29 01 55 3c 81 6c ba 1c 30 ec df 0f dd 42   
> ..).U<.l..0....B
> 0050  b2 d9 0e 55 8b be 0a a0 61 ee ee 8a 69 dc 3f d6   
> ...U....a...i.?.
> 0060  df 68 7a bb                                       .hz.
>
>
> Internet Protocol, Src Addr: 132.205.25.17 (132.205.25.17), Dst Addr:
> 10.0.5.25 (10.0.5.25)
> User Datagram Protocol, Src Port: 8781 (8781), Dst Port: 58939 (58939)
>     Source port: 8781 (8781)
>     Destination port: 58939 (58939)
>     Length: 36
>     Checksum: 0x0fd7 (correct)
> Data (28 bytes)
>
> 0000  00 04 23 98 b8 1e 00 50 54 ff 93 cd 08 00 45 00   
> ..#....PT.....E.
> 0010  00 38 79 f4 00 00 6e 11 25 ca 84 cd 19 11 0a 00   
> .8y...n.%.......
> 0020  05 19 22 4d e6 3b 00 24 0f d7 4c fa 02 08 7f 30   
> .."M.;.$..L....0
> 0030  1a 5a d5 ec d5 57 4b 55 5f 9e 9e c7 23 13 01 86   
> .Z...WKU_...#...
> 0040  28 06 59 34 b6 ee                                 (.Y4..
>
>
> All of the initial communication starts with ".PT.....#.....E."
> And the return always starts with "..#....PT.....E."
> This goes for all packets captured..
> The rest of the data in the communication varies, but I have only seen 
> a couple of packets in which the data exceeds 125 bytes in fact that 
> seems to be the norm, but a number are smaller at 21 bytes, maybe a 
> simpler acknowledgment, Like "yes you are already in my hosts list".. 
> ?
>
> Any help is appreciated!
>
> Thx
>
> Brance :)_S
>
> ____________________________________________
>
> Brance Amussen
> Network/Systems Admin
> Zanvyl Krieger Mind/Brain Institute
> Johns Hopkins University
> 410.516.6167
> brance{AT}jhu.edu
> ____________________________________________
>
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
>
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription 
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list