[Dshield] UDP Port 58939

J esler at knology.net
Mon Jan 10 18:49:55 GMT 2005


You are always welcome to send dump files to us GCIA types, we live to
packet m0nkey.

;)

Joel Esler, GCIA

On Mon, 10 Jan 2005 11:18:30 -0500, "Brance Amussen :\)_S" <brance at jhu.edu>
wrote :

> Right, so that would explain the beginning but what explains the rest?? 
> Guess I should've had a V8....!ds Coarse the first line is the src-dst mac..
> 
> Still, what is the rest.. Have a dump file if anyone is interested.. 
> Thx
> 
> Brance :)_S 
>  
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Joel Esler
> Sent: Friday, January 07, 2005 2:59 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] UDP Port 58939
> 
> Brance, the reason all your packet dumps start and end with the same thing
> is because the section of dump you are talking about
> 
> "0000  00 50 54 ff 93 cd 00 04 23 98 b8 1e 08 00 45 00   
> .PT.....#.....E."
> 
> Is your source and destination mac addresses and the last two bytes (4500),
> means IP layer 4, ip header length 20 (the 5)..  which is in almost every
> packet in your network I guarantee..  :)
> 
> Joel Esler, GCIA
> 
> On Jan 7, 2005, at 12:49, Brance Amussen :))_S wrote:
> 
> >
> > Hi All,
> >
> > Anyone have any info on UDP port 58939 and any possible apps using it??
> >
> > I have a machine which is connecting to what seem to be random IP's on 
> > this port. They return an answer and the connection is then dropped. 
> > The machine then connects to another IP on this port, again gets an 
> > answer and moves on.
> >
> > Seems a lot like a drone checking in and waiting for instruction.. I 
> > have connected from another machine using netcat to a couple of the 
> > machines the offending machine has connected to, and have found the 
> > ports open.
> > However,
> > no commands I enter are acknowledged.
> >
> > Below is a capture of a typical conversation..
> >
> >
> > Internet Protocol, Src Addr: 10.0.5.25 (10.0.5.25), Dst Addr: 
> > 132.205.25.17
> > (132.205.25.17)
> > User Datagram Protocol, Src Port: 58939 (58939), Dst Port: 8781 (8781)
> >     Source port: 58939 (58939)
> >     Destination port: 8781 (8781)
> >     Length: 66
> >     Checksum: 0x847c (correct)
> > Data (58 bytes)
> >
> > 0000  00 50 54 ff 93 cd 00 04 23 98 b8 1e 08 00 45 00   
> > .PT.....#.....E.
> > 0010  00 56 f8 b0 00 00 80 11 94 ef 0a 00 05 19 84 cd   
> > .V..............
> > 0020  19 11 e6 3b 22 4d 00 42 84 7c 3f 5c 02 0b 6f 7a   
> > ...;"M.B.|?\..oz
> > 0030  12 81 9f 45 a9 5d 4d 3f 43 86 6c 41 d4 bb c9 31   
> > ...E.]M?C.lA...1
> > 0040  cb 8f 29 01 55 3c 81 6c ba 1c 30 ec df 0f dd 42   
> > ..).U<.l..0....B
> > 0050  b2 d9 0e 55 8b be 0a a0 61 ee ee 8a 69 dc 3f d6   
> > ...U....a...i.?.
> > 0060  df 68 7a bb                                       .hz.
> >
> >
> > Internet Protocol, Src Addr: 132.205.25.17 (132.205.25.17), Dst Addr:
> > 10.0.5.25 (10.0.5.25)
> > User Datagram Protocol, Src Port: 8781 (8781), Dst Port: 58939 (58939)
> >     Source port: 8781 (8781)
> >     Destination port: 58939 (58939)
> >     Length: 36
> >     Checksum: 0x0fd7 (correct)
> > Data (28 bytes)
> >
> > 0000  00 04 23 98 b8 1e 00 50 54 ff 93 cd 08 00 45 00   
> > ..#....PT.....E.
> > 0010  00 38 79 f4 00 00 6e 11 25 ca 84 cd 19 11 0a 00   
> > .8y...n.%.......
> > 0020  05 19 22 4d e6 3b 00 24 0f d7 4c fa 02 08 7f 30   
> > .."M.;.$..L....0
> > 0030  1a 5a d5 ec d5 57 4b 55 5f 9e 9e c7 23 13 01 86   
> > .Z...WKU_...#...
> > 0040  28 06 59 34 b6 ee                                 (.Y4..
> >
> >
> > All of the initial communication starts with ".PT.....#.....E."
> > And the return always starts with "..#....PT.....E."
> > This goes for all packets captured..
> > The rest of the data in the communication varies, but I have only seen 
> > a couple of packets in which the data exceeds 125 bytes in fact that 
> > seems to be the norm, but a number are smaller at 21 bytes, maybe a 
> > simpler acknowledgment, Like "yes you are already in my hosts list".. 
> > ?
> >
> > Any help is appreciated!
> >
> > Thx
> >
> > Brance :)_S
> >
> > ____________________________________________
> >
> > Brance Amussen
> > Network/Systems Admin
> > Zanvyl Krieger Mind/Brain Institute
> > Johns Hopkins University
> > 410.516.6167
> > brance{AT}jhu.edu
> > ____________________________________________
> >
> > -------------- Sponsor Message ------------------------------------
> > SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> > http://www.sans.org/orlando05
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org To change your subscription 
> > options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> 
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription options
> (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
> 
> 
> 



More information about the list mailing list